Path: news.easynews.com!core-easynews!newsfeed1.easynews.com!newsfeed2.easynews.com!easynews.com!easynews!newsfeed.news2me.com!newsfeed.icl.net!newsfeed.fjserv.net!colt.net!kibo.news.demon.net!news.demon.co.uk!demon!peterfinnigan.demon.co.uk!pete From: Pete Finnigan Newsgroups: comp.databases.oracle.server Subject: Re: Key management for DBMS_OBFUSCATION_TOOLKIT Date: Wed, 4 Jun 2003 21:18:50 +0100 Organization: www.petefinnigan.com Lines: 66 Message-ID: References: <3EDB7AA5.58CCBB6C@exxesolutions.com> <51oWeVBg6H3+EwN$@peterfinnigan.demon.co.uk> NNTP-Posting-Host: peterfinnigan.demon.co.uk Mime-Version: 1.0 X-Trace: news.demon.co.uk 1054758123 26757 212.228.17.70 (4 Jun 2003 20:22:03 GMT) X-Complaints-To: abuse@demon.net NNTP-Posting-Date: Wed, 4 Jun 2003 20:22:03 +0000 (UTC) X-Newsreader: Turnpike Integrated Version 5.01 S Xref: core-easynews comp.databases.oracle.server:188618 X-Received-Date: Wed, 04 Jun 2003 13:21:20 MST (news.easynews.com) Hi Maser Yes you are right the package is just an API, you have to manage everything yourself. As I understand it the function GetKey is supposed to be there to generate secure random numbers as the existing dbms_random package doesn't. Perhaps if Rick Wessman is reading this he could elaborate as I know his name appears in the package source code, are you there Rick? kind regards Pete In article , MAser writes >Pete Finnigan wrote in message news:<51oWeVBg6H3+EwN$@pe >terfinnigan.demon.co.uk>... >> Hi Maser >> >> DBMS_OBFUSCATION_TOOLKIT doesn't manage the keys for you. I assume you >> mean key hiding? This is one of the more difficult problems in using >> encryption packages of any type. It is up to you to pass in the key to >> the package call and ensure that the key cannot be stolen. >> >> The package offers MD5 check summing and DES and triple DES for >> encryption. 56, 112 and 168 bit keys are supported. In 9i a function >> called getkey can be used to generate secure random numbers for use in >> keys, it uses the FIPS - 140 certified random number generator. But >> again it is not automatically called and you have to call it and use it >> yourself. Do not use the older DBMS_RANDOM to generate keys as this >> function generates pseudo random numbers. >> >> Another option is to use a "free" C encryption library and create your >> own API and call it from extproc or call it on the client before sending >> the data to the server. >> >> There are a number of options for hiding keys, they could be managed by >> the user, i.e. passed in, or stored on the server OS and accessed via >> exproc or utl_file or stored within the client or application. In any >> case where the key is passed from the client it need to be encrypted. >> >> take a look at Aarons paper at http://www.appsecinc.com/presentations/En >> cryption_of_Data_at_Rest.pdf which discusses key hiding. >> >> hope this helps >> >> kind regards >> >> Pete > >Hello Pete, > >I tho for the DBMS_OBFUSCATION_TOOLKIT it does not generate keys, it >is stated in the papers. I wonder why in Oracle 9i it has this getkey >function. It is just suppose to encrypt data right? The rest of it >like key management (hiding keys and storing key) are done by the >PL/SQL or API(I think). > >Thank you -- Pete Finnigan email:pete@petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security information and services Book:Oracle security step-by-step Guide - see http://store.sans.org for details.