Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle 10g security. Using certificates?

Re: Oracle 10g security. Using certificates?

From: Vladimir M. Zakharychev <vladimir.zakharychev_at_gmail.com>
Date: 29 Jun 2006 09:17:03 -0700
Message-ID: <1151597823.542647.235150@d56g2000cwd.googlegroups.com> 





nkunkov_at_escholar.com wrote:


> Vladimir M. Zakharychev wrote:

> > nkunkov_at_escholar.com wrote:

> > > Vladimir M. Zakharychev wrote:

> > > > nkunkov_at_escholar.com wrote:

> > > > > Hello,

> > > > > I have an assignment that i don't know where to begin. Hope you can

> > > > > give me some direction.

> > > > > I'm running Oracle 10g. I'm using DBMS_CRYPTO.ENCRYPT to do some

> > > > > encryption in my own function. My encryption key is stored (hardcoded)

> > > > > within my function. My client doesn't like it for obvious reasons and

> > > > > asked me if this key could be stored in a "certificate database"

> > > > > whatever this term means. I think I need to have a security certificate

> > > > > which will give me access to my key. I don't know if Oracle has this

> > > > > kind of capability and I'm not sure where to look to learn about it.

> > > > > If you can give me some help here I'd greatly appreciate it.

> > > > > Thank you.

> > > > > NK

> > > >

> > > > If you run 10g Release 2 (10.2,) you will find that it supports

> > > > transparent data encryption and stores the key out of line

> > > > in a wallet. So search the docs for TDA and google this

> > > > group for some discussions about it.

> > > >

> > > > Other than that, I don't think that Oracle has any PKI API

> > > > exposed to PL/SQL developers for immediate use. You can

> > > > try Java for this. You can also store your keys outside the

> > > > database and read them using BFILEs or UTL_FILE,

> > > > and optionally encrypt that storage with some fixed, but

> > > > not explicitly hard-coded key (for example, one derived from

> > > > some immutable constants.)

> > > >

> > > > Brian Peasland also has a couple of white papers on

> > > > key security in Oracle at http://www.peasland.net, which

> > > > you may find helpful.

> > > >

> > > > Hth,

> > > >     Vladimir M. Zakharychev

> > > >     N-Networks, makers of Dynamic PSP(tm)

> > > >     http://www.dynamicpsp.com

> > >

> > >

> > > Vladimir,

> > > Thank you very much.  This was actually very helpful.

> > > Appreciate it.

> > > NK

> >

> > Just re-read my post and figured I used a wrong acronym

> > for transparent data encryption. TDE is the right one. :)

> > Sorry for possible confusion.

> >

> > Regards,

> >     Vladimir M. Zakharychev

> >     N-Networks, makers of Dynamic PSP(tm)

> >     http://www.dynamicpsp.com


>




> Vladimir,

> Thanks again.  No you didn't confuse me, I figured out the acronym :)

> I wanted to ask you a few things though.

> 1.        For TDE, I assume that I won't be able to use the DBMS_CRYPTO

> package anymore? Is that right? Also, I'm looking not to encrypt the

> fields of the table itself, but encrypt the contents of the

> materialized views without doing anything with the actual tables.  Will

> TDE work for me or I need to use something else?

> 2.        Do you think code obfuscation could be of help?  Should I

> have an abfuscated function that will return the key?  But then the

> function output will still be readable, right? (I never used

> obfuscation before, that's why the questions are basic...)

> 3.        If I wanted to store the key in a file, what should I use to

> encrypt it?  Same DBMS_CRYPTO?  And when you are saying derive the key

> from an immutable constant, that constant should also be stored

> somewhere or known by the users, right?  I'm giving this to the third

> party, it's not an in house product...

> Thanks for your help.

> I greatly appreciate your answers.

> NK




    
  
  1.   Correct, DBMS_CRYPTO doesn't have anything to do with TDE.
As of MV column encryption - you can create MVs using prebuilt
tables, which you can create with TDE. However, I see little point
encrypting the snapshots but not encrypting their base tables. If
it's done to secure replication channel then there's Advanced
Security Option or good old SSH tunneling that can take care
of that. If it's something else, I'd like to hear it. :)

  
  2.   Code obfuscation using wrap utility will definitely help, as it
is said to be irreversible (which doesn't sound true to me, by
the way, but at least no publicly available tools can deobfuscate
wrapped PL/SQL code.) If an attacker has hard time seeing and
analyzing the source code, she will undoubtly have complications
figuring out how the key is generated, and without the key
she can't get to the data.

  
  3.   Yes, you can use DBMS_CRYPTO, or you can write
some Java code to do it. The constant should not be known
to the users, quite the contrary: it should always be available,
and it should be immutable, but it should not be obvious that it
is being used for encryption key generation. You could use
something like database name (which usually doesn't change
for the life of the database,) database time zone (which should
be set once and for all, too,) some universal constant like
exponent or Pi expressed as a string and hashed with sha-1
or md5, etc. It's pretty much the same as hard-coded key, but
it's not as easily interceptable or guessable by an attacker. Also,
there shouldn't be any way for the users to query for the key, its
usage should be encapsulated into a package and all encoding
and decoding should be performed in that package only.






Regards,


    Vladimir M. Zakharychev


    N-Networks, makers of Dynamic PSP(tm)
    http://www.dynamicpsp.com
Received on Thu Jun 29 2006 - 11:17:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US