Re: SQLNet/ODBC security and encryption

    In response to Dan Vincent's query about available crypto for ODBC and SQLNet, Dean Mah <dmah_at_acs.ucalgary.ca> admitted:

>We haven't gone into production with our system yet but we have tested
Oracle's
>Advanced Networking Option for SecurID access and data encryption and
>checksumming. In Canada, we are using DES40 or RSA40 for encryption
and MD5
>for checksumming. If you are in the US, you will be able to use
stronger encryption.

    I'm confused. Unless you have a UCalgary project to develop your Oracle app on the grounds of the Lybian Embassy or somesuch, I thought a Canadian citizen has full access to any strong American-developed crypto available on the open market (as an American has full access to any strong Canadian crypto available to the private sector.)

    Are you, for some reason, an exception?

    SNS offers full 56-bit DES, I know, and I presume at least equally-strong RC4 (one of Rivest's variable key-length ciphers, from SDTI/RSA) to protect SQL*Net sessions.

    In the "RSA Challenge" contest two years ago, a Canadian grad student at UCBerkeley popped a 40-bit key in three and a half hours using a medium-size university computer lab in a brute-force attack. 40-bit crypto offers but a little more security than pig-Latin or ROT13 today. It should not be considered for confidentiality.

    (The fact that SNS v.1 offered only 40-bit keys was something of an embarassment.

    Suerte,

            _Vin

      Vin McLellan + The Privacy Guild + <vin_at_shore.net>   53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548

• <@><@> --