| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Key management for DBMS_OBFUSCATION_TOOLKIT
Hi Maser
Yes you are right the package is just an API, you have to manage everything yourself. As I understand it the function GetKey is supposed to be there to generate secure random numbers as the existing dbms_random package doesn't.
Perhaps if Rick Wessman is reading this he could elaborate as I know his name appears in the package source code, are you there Rick?
kind regards
Pete
In article <f743c4ca.0306040010.2b8010a_at_posting.google.com>, MAser
<lhunyi_at_yahoo.com.sg> writes
>Pete Finnigan <pete_at_petefinnigan.com> wrote in message news:<51oWeVBg6H3+EwN$@pe
>terfinnigan.demon.co.uk>...
>> Hi Maser
>>
>> DBMS_OBFUSCATION_TOOLKIT doesn't manage the keys for you. I assume you
>> mean key hiding? This is one of the more difficult problems in using
>> encryption packages of any type. It is up to you to pass in the key to
>> the package call and ensure that the key cannot be stolen.
>>
>> The package offers MD5 check summing and DES and triple DES for
>> encryption. 56, 112 and 168 bit keys are supported. In 9i a function
>> called getkey can be used to generate secure random numbers for use in
>> keys, it uses the FIPS - 140 certified random number generator. But
>> again it is not automatically called and you have to call it and use it
>> yourself. Do not use the older DBMS_RANDOM to generate keys as this
>> function generates pseudo random numbers.
>>
>> Another option is to use a "free" C encryption library and create your
>> own API and call it from extproc or call it on the client before sending
>> the data to the server.
>>
>> There are a number of options for hiding keys, they could be managed by
>> the user, i.e. passed in, or stored on the server OS and accessed via
>> exproc or utl_file or stored within the client or application. In any
>> case where the key is passed from the client it need to be encrypted.
>>
>> take a look at Aarons paper at http://www.appsecinc.com/presentations/En
>> cryption_of_Data_at_Rest.pdf which discusses key hiding.
>>
>> hope this helps
>>
>> kind regards
>>
>> Pete
>
>Hello Pete,
>
>I tho for the DBMS_OBFUSCATION_TOOLKIT it does not generate keys, it
>is stated in the papers. I wonder why in Oracle 9i it has this getkey
>function. It is just suppose to encrypt data right? The rest of it
>like key management (hiding keys and storing key) are done by the
>PL/SQL or API(I think).
>
>Thank you
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security information and services Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Wed Jun 04 2003 - 15:18:50 CDT
 |
 |