Re: Key management for DBMS_OBFUSCATION_TOOLKIT

Hi Maser

DBMS_OBFUSCATION_TOOLKIT doesn't manage the keys for you. I assume you mean key hiding? This is one of the more difficult problems in using encryption packages of any type. It is up to you to pass in the key to the package call and ensure that the key cannot be stolen.

The package offers MD5 check summing and DES and triple DES for encryption. 56, 112 and 168 bit keys are supported. In 9i a function called getkey can be used to generate secure random numbers for use in keys, it uses the FIPS - 140 certified random number generator. But again it is not automatically called and you have to call it and use it yourself. Do not use the older DBMS_RANDOM to generate keys as this function generates pseudo random numbers.

Another option is to use a "free" C encryption library and create your own API and call it from extproc or call it on the client before sending the data to the server.

There are a number of options for hiding keys, they could be managed by the user, i.e. passed in, or stored on the server OS and accessed via exproc or utl_file or stored within the client or application. In any case where the key is passed from the client it need to be encrypted.

take a look at Aarons paper at http://www.appsecinc.com/presentations/En cryption_of_Data_at_Rest.pdf which discusses key hiding.

hope this helps

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security information and services
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.