Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Protecting the encryption key from the DBA
Pratap wrote:
> Oracle database 8.1.7, 9i
>
> We have to use dbms_obfuscation_toolkit to keep encrypted data in the
> database. The key is stored outside the database.
>
> How can we protect the encryption key from the DBA? We will be using
> Oracle Advanced Security to protect the key over the network.
>
> But I guess any DBA can trace a session with a specific event and dump
> the bind variable data to the trace file. So DBA can find the key very
> easily by tracing sessions executing the dbms_obfuscation_toolkit
> package and the bind variables that are passed to it.
>
> Regards,
> Pratap
Lets assume the key is 123
And lets assume you have a table into which you insert 10000 rows of strings in the form '012345678901234567890...' and the next row '12345678901...' and the next row '23456789012345678901234...'.
And lets further assume that you choose to concatenate the 12th digit of row 1 and the 2nd digit of row 2 and the 22nd digit of row 3. And you perform the concatenation in a stored procedure that has been wrapped.
I'd have little worry about any DBA figuring it out unless supplied with a Cray.
-- Daniel A. Morgan http://www.psoug.org damorgan_at_x.washington.edu (replace x with u to respond)Received on Mon Jul 18 2005 - 12:34:12 CDT