Oracle security 07-transparent data encryption

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Transparent Data Encryption

Objectives
After completing this lesson, you should be able to do
the following:
• Describe the encryption options
• Generate random encryption keys
• Encrypt and decrypt table columns
• Encrypt tablespace

Overview
• Data encryption issues
• Data encryption challenges
• DBMS_CRYPTO package:
– Encrypts column data
– Decrypts column data
– Supercedes DBMS_OBFUSCATION_TOOLKIT
DBMS_CRYPTO
OKYMSEISPDTGA
MyCreditCardNum
CUST.CREDITCARD

Encryption Issues: Cost
• Encryption and decryption of data
– Accessibility
– Performance
• Management of encryption keys
– Secure transmission
– Administrative overhead

Encryption Issues: Access Control
Do not use encryption instead of access control.
• Strong data access mechanisms are available.
• Encryption must not interfere with access control.

Encryption Issues: Access
by Privileged Users
• DBAs can access all data. Limit and monitor the
DBA by:
– Using SYSOPER with limited privileges
– Creating junior DBA roles to limit access
– Auditing the actions of the DBA
– Running background checks on the DBAs
– Encrypting sensitive columns
• The system administrator has access to all data
files.
• Backup media may be compromised.

Encryption Issues: Do Not Encrypt
Everything
• Encrypting everything does not make data secure.
• Data is unavailable during key changes.
• Lost keys mean lost data.
• The management of keys becomes critical.

Data Encryption: Challenges
• Key management:
– Generation
– Changing
– Transmission
– Storage
• Encrypting special types of data:
– Indexed
– Large objects (LOBs)

Encryption Key Management:
Key Generation
Keys are generated with random numbers. Use an
approved random-number generator:
• DBMS_CRYPTO.RANDOMBYTES is based on RSA
x9.31 PRNG.
• DBMS_RANDOM is not approved.
• DBMS_OBFUSCATION_TOOLKIT.GETKEY is still
available.

Encryption Key Management: Key
Modification and Transmission
• Modify periodically, like you would a password:
– Reduce the possibility of brute force key discovery.
– Reencrypt the data.
• Transmit the keys in a secure manner:
– Electronic transmission (encrypt the key)
– Physical transmission

Encryption Key Management: Storage
Store the keys by using one of the following methods:
• Store the key in the database.
• Store the key in an operating system file.
• Let the user manage the key.

Storing the Key in the Database
The techniques for protecting keys in the database are:
• Store keys in a separate table.
• Perform additional data transformation.
• Wrap the PL/SQL package that performs the
encryption.
• Use a key per row.
• Combine the techniques.

Storing the Key in the Operating System
Use this method to restrict DBA access to the keys:
1. Set up the file storing the keys so that the DBA
does not have access to the file.
2. Retrieve the data from the database without
decrypting the data.
3. Decrypt the data in the application accessing the
data. The DBA must also be denied access to this
application.

Letting the User Manage the Key
User-managed keys have these problems:
• Users forget the key.
• Users archive the key in an insecure manner.
• Users must use secure transmission methods,
such as network encryption.

Encrypting Special Types of Data
• Indexed data:
– Encrypt the variable used to access the data
– Not supported
• Large objects (LOBs):
– Use the ENCRYPT procedure of the DBMS_CRYPTO
package.

Comparing DBMS_CRYPTO with
DBMS_OBFUSCATION_TOOLKIT
Package
Feature
DBMS_CRYPTO DBMS_OBFUSCATION_TOOLKIT
Cryptographic
algorithms
DES, 3DES, AES,
RC4,
3DES_2KEY
DES, 3DES
Database types RAW, CLOB,
BLOB
RAW, VARCHAR2
Block cipher
chaining modes
CBC, CFB, ECB,
OFB
CBC
Cryptographic
hash algorithms
MD5, SHA-1,
MD4
MD5
Keyed hash
(MAC)
algorithms
HMAC_MD5,
HMAC_SH1
None supported

DBMS_CRYPTO Package
• Functionality:
– Random-number generation for encryption keys
– Encryption and decryption by using various
algorithms
– Multiple cipher block chaining modes
– Multiple cryptographic hash algorithms
– Multiple padding forms
• Procedures and functions in the package include:
– RANDOMBYTES creates random keys.
– ENCRYPT to encrypt columns or LOBs
– DECRYPT to decrypt columns or LOBs
– HASH applies a hash algorithm to data.

Using ENCRYPT and DECRYPT
• ENCRYPT:
• DECRYPT:
encrypted_raw := dbms_crypto.Encrypt (
src => raw_input,
typ => dbms_crypto.DES3_CBC_PKCS5,
key => raw_key,
iv => NULL);
decrypted_raw := dbms_ crypto.Decrypt (
encrypted_raw,
dbms_crypto.DES3_CBC_PKCS5,
raw_key);

Using RANDOMBYTES
• Generate a key:
• Encrypt:
raw_key := dbms_crypto.randombytes (
number_bytes => 24);
encrypted_raw := dbms_crypto.encrypt (
src => raw_input,
typ => DBMS_CRYPTO.DES3_CBC_PKCS5
key => raw_key);

Enhanced Security Using
the Cipher Block Modes
Initial value
block
First block
Encrypt Encrypt
Next block
Encrypted
first block
Encrypted
next block
Cipher Block Chaining

Hash and Message Authentication Code
• DBMS_CRYPTO includes both HASH and Message
Authentication Code (MAC) functions.
• Both produce a one-way hash of an LOB or RAW.
• Use this hash to verify data integrity.
• MAC uses a secret key.
• Example:
encrypted_raw := dbms_crypto.Mac(
src => raw_input,
typ => DBMS_CRYPTO.HMAC_MD5,
key => raw_key);

Summary
In this lesson, you should have learned how to:
• Describe the encryption options available with
Oracle Database 10g
• Use DBMS_CRYPTO to:
– Generate random encryption keys
– Encrypt and decrypt table columns

Q&A

Oracle security 07-transparent data encryption

Recommandé

Recommandé

Contenu connexe

Plus de Zhaoyang Wang

Plus de Zhaoyang Wang (20)

Dernier

Dernier (20)

Oracle security 07-transparent data encryption