Re: Protecting the encryption key from the DBA

Obviously you have less brains than balls. You can break Oracle Advanced Security in less than two minutes!

Check this out: http://lasecwww.epfl.ch/memo_des.shtml

DA Morgan wrote:
> Pratap wrote:
> > Oracle database 8.1.7, 9i
> >
> > We have to use dbms_obfuscation_toolkit to keep encrypted data in the
> > database. The key is stored outside the database.
> >
> > How can we protect the encryption key from the DBA? We will be using
> > Oracle Advanced Security to protect the key over the network.
> >
> > But I guess any DBA can trace a session with a specific event and dump
> > the bind variable data to the trace file. So DBA can find the key very
> > easily by tracing sessions executing the dbms_obfuscation_toolkit
> > package and the bind variables that are passed to it.
> >
> > Regards,
> > Pratap
>
> Lets assume the key is 123
>
> And lets assume you have a table into which you insert 10000 rows of
> strings in the form '012345678901234567890...' and the next row
> '12345678901...' and the next row '23456789012345678901234...'.
>
> And lets further assume that you choose to concatenate the 12th digit
> of row 1 and the 2nd digit of row 2 and the 22nd digit of row 3. And
> you perform the concatenation in a stored procedure that has been
> wrapped.
>
> I'd have little worry about any DBA figuring it out unless supplied
> with a Cray.
> --
> Daniel A. Morgan
> http://www.psoug.org
> damorgan_at_x.washington.edu
> (replace x with u to respond)
Received on Tue Jul 19 2005 - 00:37:50 CDT