1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Transparent Data Encryption
2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to do
the following:
• Describe the encryption options
• Generate random encryption keys
• Encrypt and decrypt table columns
• Encrypt tablespace
3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Overview
• Data encryption issues
• Data encryption challenges
• DBMS_CRYPTO package:
– Encrypts column data
– Decrypts column data
– Supercedes DBMS_OBFUSCATION_TOOLKIT
DBMS_CRYPTO
OKYMSEISPDTGA
MyCreditCardNum
CUST.CREDITCARD
4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Issues: Cost
• Encryption and decryption of data
– Accessibility
– Performance
• Management of encryption keys
– Secure transmission
– Administrative overhead
5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Issues: Access Control
Do not use encryption instead of access control.
• Strong data access mechanisms are available.
• Encryption must not interfere with access control.
6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Issues: Access
by Privileged Users
• DBAs can access all data. Limit and monitor the
DBA by:
– Using SYSOPER with limited privileges
– Creating junior DBA roles to limit access
– Auditing the actions of the DBA
– Running background checks on the DBAs
– Encrypting sensitive columns
• The system administrator has access to all data
files.
• Backup media may be compromised.
7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Issues: Do Not Encrypt
Everything
• Encrypting everything does not make data secure.
• Data is unavailable during key changes.
• Lost keys mean lost data.
• The management of keys becomes critical.
8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Data Encryption: Challenges
• Key management:
– Generation
– Changing
– Transmission
– Storage
• Encrypting special types of data:
– Indexed
– Large objects (LOBs)
9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Key Management:
Key Generation
Keys are generated with random numbers. Use an
approved random-number generator:
• DBMS_CRYPTO.RANDOMBYTES is based on RSA
x9.31 PRNG.
• DBMS_RANDOM is not approved.
• DBMS_OBFUSCATION_TOOLKIT.GETKEY is still
available.
10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Key Management: Key
Modification and Transmission
• Modify periodically, like you would a password:
– Reduce the possibility of brute force key discovery.
– Reencrypt the data.
• Transmit the keys in a secure manner:
– Electronic transmission (encrypt the key)
– Physical transmission
11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encryption Key Management: Storage
Store the keys by using one of the following methods:
• Store the key in the database.
• Store the key in an operating system file.
• Let the user manage the key.
12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Storing the Key in the Database
The techniques for protecting keys in the database are:
• Store keys in a separate table.
• Perform additional data transformation.
• Wrap the PL/SQL package that performs the
encryption.
• Use a key per row.
• Combine the techniques.
13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Storing the Key in the Operating System
Use this method to restrict DBA access to the keys:
1. Set up the file storing the keys so that the DBA
does not have access to the file.
2. Retrieve the data from the database without
decrypting the data.
3. Decrypt the data in the application accessing the
data. The DBA must also be denied access to this
application.
14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Letting the User Manage the Key
User-managed keys have these problems:
• Users forget the key.
• Users archive the key in an insecure manner.
• Users must use secure transmission methods,
such as network encryption.
15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encrypting Special Types of Data
• Indexed data:
– Encrypt the variable used to access the data
– Not supported
• Large objects (LOBs):
– Use the ENCRYPT procedure of the DBMS_CRYPTO
package.
17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
DBMS_CRYPTO Package
• Functionality:
– Random-number generation for encryption keys
– Encryption and decryption by using various
algorithms
– Multiple cipher block chaining modes
– Multiple cryptographic hash algorithms
– Multiple padding forms
• Procedures and functions in the package include:
– RANDOMBYTES creates random keys.
– ENCRYPT to encrypt columns or LOBs
– DECRYPT to decrypt columns or LOBs
– HASH applies a hash algorithm to data.
18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using ENCRYPT and DECRYPT
• ENCRYPT:
• DECRYPT:
encrypted_raw := dbms_crypto.Encrypt (
src => raw_input,
typ => dbms_crypto.DES3_CBC_PKCS5,
key => raw_key,
iv => NULL);
decrypted_raw := dbms_ crypto.Decrypt (
encrypted_raw,
dbms_crypto.DES3_CBC_PKCS5,
raw_key);
19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using RANDOMBYTES
• Generate a key:
• Encrypt:
raw_key := dbms_crypto.randombytes (
number_bytes => 24);
encrypted_raw := dbms_crypto.encrypt (
src => raw_input,
typ => DBMS_CRYPTO.DES3_CBC_PKCS5
key => raw_key);
20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Enhanced Security Using
the Cipher Block Modes
Initial value
block
First block
Encrypt Encrypt
Next block
Encrypted
first block
Encrypted
next block
Cipher Block Chaining
21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Hash and Message Authentication Code
• DBMS_CRYPTO includes both HASH and Message
Authentication Code (MAC) functions.
• Both produce a one-way hash of an LOB or RAW.
• Use this hash to verify data integrity.
• MAC uses a secret key.
• Example:
encrypted_raw := dbms_crypto.Mac(
src => raw_input,
typ => DBMS_CRYPTO.HMAC_MD5,
key => raw_key);
22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Describe the encryption options available with
Oracle Database 10g
• Use DBMS_CRYPTO to:
– Generate random encryption keys
– Encrypt and decrypt table columns
23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A