Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Protecting the encryption key from the DBA

Re: Protecting the encryption key from the DBA

From: Frank van Bortel <frank.van.bortel_at_gmail.com>
Date: Thu, 21 Jul 2005 20:46:19 +0200
Message-ID: <dboq62$gj9$1@news3.zwoll1.ov.home.nl> 





Maxim Demenko wrote:


> Frank van Bortel schrieb:

> 


>> You only failed to show the correct blocks: in your encrypted
>> part, you show the blocks from CC14BC0 onward, while the
>> unencrypted part starts at CC14BB0.
>>




> 

> 

> I'm not aware of possibility to dump single bytes from datablock ( in

> terms of oracle tools ;-), so i dumped *one* block. It was the *same*

> block in both , encrypted and not encrypted case. You can easily see it

> , as i posted the full content of datablock that contained one row in my

> test table.

> 

> 

> Encrypted:

> Dump of memory from 0x0CC12C00 to 0x0CC14C00

> 

> Decrypted:

> Dump of memory from 0x0CC12C00 to 0x0CC14C00

> 

> Do you see any difference ?

> The offsets CC14BB0 till CC14BBF contain part of my unencrypted value (

> 'Maxi' ). 




Yes - and the 'm' on the next line.



In encrypted part those offsets are not shown explicitly


> because they are zeroed.

> 

> CC12C80 00000000 00000000 00000000 00000000  [................]

>         Repeat 499 times

> CC14BC0 02012C00 3402C102 EDE7161B 5DA564F3  [.,.....4.....d.]]

> 

> 0xCC12C80 + ( 499 * 16 ) = 0xCC14BB0,

> that means the line starting with offset 0xCC14BB0 is the same as line

> starting with offset 0xCC12C80.

> 

> Can you now point me , where i failed to show the correct blocks ?

> On another side , i am wondering , why you got a match ( i could assume

> an accident if that were such short and very common string as mine, but

> you had in your example relativ long sentences...) I'll try to reproduce

> your situation. Maybe in your case however the blocks were not yet

> written to file - you did not provide much details to your tests.

> Nethertheless , i think , to have a look on the blockdump is more

> precise than to grep a whole datafile.




The first has a .. repeat 499 times, the second repeat 498.
So I did not see any data - and expected to see data (be it
encrypted - it would still be there, and not nnulled)


> 

> Additionally , i would like to know one thing more ;-)

> Could you access the encrypted table after wallet was closed or have i

> misunderstood it ? I got an ORA-28365 in that case... I mean the table

> can be accessed, if encrypted columns are excluded from select list, but

> not for select *

> 

> Best regards

> 

> Maxim

> 




Yes - whatever I tried, I still got access to the data.
But I have an auto-login wallet. Still have to set things up
without an auto login wallet. Until then...
see vanbortel.blogspot.com for what I did.



I would expect 28365 (The security module wallet has not been opened.),
but never got it. Would have loved it, actually, as I would see that
as an indication of TDE working.



Right now, I've been busy with HTMLDB and FOP in an Apache standalone
environment, not much time for TDE; maybe the weekend.

-- 
Regards,
Frank van Bortel


Received on Thu Jul 21 2005 - 13:46:19 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US