Re: Encryption in Oracle Database - Help!!

A further area of concern with encrypted data in the database would be ensuring that your constraints, foreign keys, indexes,etc. all are capable of using the encrypted form of the data....that will probably mean using a fixed encryption/decription algorithms for each bit of data to be stored and that, in itself, can present security issues since, once discovered, all is revealed...

If the algorithm changes then updating any data that is part of the above structures will result in failure ....

Just an idea...  

Pete Sharman <psharman_at_us.oracle.com> wrote:

>Angana
>
>You can encrypt the data in the database, but you need to provide the encryption and
>decryption routines. What you need to do is write a PL/SQL function that you can call
>on insert (then you can do an insert .... encrypt(column1), column2 etc.) and when
>you do the select to retrieve it you can do a select decrypt(column1), column2 etc.
>You will also need to use the encryption and decryption on any other operation that
>fetches or changes data.
>
>Of course, the encryption and decryption routines add overhead to the insert and
>select statements so there is a performance hit. How much of a performance hit it
>will be is dependent on the work performed by the encryption / decryption routines.
>HTH.
>
>Pete
>
>Angana Ghosh wrote:
>
>> Thanks Rick for your input. Our company policy dictates that highly confidential
>> information ( red data) should be stored encrypted. The particular application in
>> my mind
>> is a web enabled application using Oracle database at the backend. The information
>> is
>> executive information and is encrypted during transmission by SSL. Would database
>> priviledges be the only solution or is there any way to encrypt data in the Oracle
>> 8 servers?
>>
>> Also, I would be interested to know about the performance issues related with
>> encryption. I understand that the performance will decrease drastically when
>> encryption
>> will be used, but does Oracle advise not to encrypt data when stored?
>>
>> Thanks for your time,
>> Angana
>>
>> Rick Wessman wrote:
>>
>> > Trusted Oracle does not support encryption of the data in the database. Also,
>> > it only runs on operating systems that are rated B1.
>> >
>> > However, I totally agree with Alexander's comments about the complexity of key
>> > distribution. This is not an easy problem.
>> >
>> > Since I don't know what problem, you are trying to solve, I can't present any
>> > alternatives. However, if you are trying to prevent ordinary users from seeing
>> > data, then I suggest that you use database privileges to limit what they can
>> > see.
>> >
>> > Rick
>> > Rick Wessman
>> > Security and Directory Technologies
>> > Server Technologies
>> > Oracle Corporation
>> > rwessman_at_us.oracle.com
>> >
>> > Angana Ghosh <ghosh_angana_at_cat.com> writes:
>> >
>> > > Hello,
>> > >
>> > > Thanks for your input. What will be the offerings in Oracle 8 Trusted?
>> > >
>> > > Thanks,
>> > > Angana
>> > >
>> > > Alexander Romanov wrote:
>> > >
>> > > > Hi
>> > > >
>> > > > For accommodation of the ciphered information in DB it is possible to use
>> > > > BLOB -
>> > > > datatype.For encryption it is possible to use anyone symmetric cryptosystem
>> > > > (for example DES).
>> > > > But to cipher and to place the information in DB Oracle there is not enough
>> > > > for the decision
>> > > > of your problem - it is necessary to decide questions of distribution of
>> > > > keys of encryption, protection of the network traffic etc. - that is to
>> > > > create complex system of security.
>> > > >
>> > > > All these problems are solved in Oracle 8 Trusted
>> > > >
>> > > > Best regards
>> > > > ---
>> > > > Romanov Alexander
>> > > > Alex_Romanov_at_mail.ru
>> > > > ICQ 6220754
>> > >
Received on Fri Jul 09 1999 - 15:13:09 CDT