3. Encryption Overview
• Two main types we are concerned with
– Data in motion, over the network
– Data at rest, datafiles, backups, redo, exports
• We will be concentrating on data at rest
• Question & Discussion:
– What is the goal behind encrypting data?
– Why do we do it?
– What doesn’t it do for us? What can it NOT protect us
from?
4. Encryption Overview
• Data in motion is easily done with SQL*Net and
ASO
– Network traffic entirely encrypted, snoop proof
– Encrypted checksum as well – to prevent “replay”
attacks (eg: let’s do that bank transfer twice)
– And to prevent modification (eg: let’s change the
leading 1 to a 9 in that transaction)
5. Encryption Overview
• Data at rest options…
– DBMS_OBFUSCATION_TOOLKIT
• 8i-9iR2
• Would not use this anymore
• Will not talk about it beyond this slide
• Let’s have a quick talk about wrapper packages…
– DBMS_CRYPTO
• 10gR1 and above
• Would not use this unless I had to (because of the next two
bullets)
– Column Level Encryption
• 10gR2 and above (ASO)
– Tablespace Encryption
• 11gR1 and above (ASO)
6. DBMS_CRYPTO
• Encrypt/Decrypt data procedurally
– DES, 3DES
– AES
– RC4
• Hash functions
– MD5, SHA-1, MD4
– Can use secret key as well
• Random functions
– Raw keys
– Number and Integers as well
7. DBMS_CRYPTO
• The major problem – KEY MANAGEMENT
– Do you store the key in the application?
• How do you secure it there?
• You need to retrieve it and transmit it
– Do you store the key in the database?
• If I steal your database, I have your keys
• You will have code that retrieves the key, I will find
out how
– There are no good answers to this problem.
8. DBMS_CRYPTO
• API driven.
• You code it, definitely not transparent.
• Definite performance impact (compared to column and/or
tablespace encryption)
• Supports as inputs
– RAW
– CLOB
– BLOB
• And always returns binary output
– You will use BLOB or RAW to store
– If you use varchar2, you need to round up to multiple of 16 and
double the length and RAWTOHEX or base64 encode the data.
– Discuss legacy obfuscation toolkit and varchar2 flaw
9. DBMS_CRYPTO
• Simple Examples
– Input raw after converting
– Specify typ – the stream or block cipher type. Block
cipher is what we use for storing data persistently
– Key – the encryption key
– Use varchar2 interface and the CLOB
• Performance
– What impact will this have? (it will be different for
everyone)
Encrypt1.sql
– How to measure it?
Encrypt2.sql
Encrypt3.sql