Professional Documents
Culture Documents
Introduction
This presentation describes introduction of data encryption into Oracle databases and how Transparent Data Encryption in Oracle 11g can benefit DBAs in achieving compliancy with ayment !ard "ndustry Data #ecurity #tandard$
2
Content
"dentification of threats Basic framewor% of Oracle security !" re&uirements 'hat is Encryption ( Encryption in Oracle) DB*#+OB,-#!AT"O.+TOO/0"T1 DB*#+!23 TO1 TDE Demo of Transparent Data Encryption 3
Identification of Threats
'hat are the !ommon #ecurity Threats ( Eavesdropping and Data Theft Data Tampering ,alsifying -ser "dentities assword 2elated Threats
#ecuring database during installation #ecuring user accounts *anaging user privileges Auditing database activity #ecuring networ% #ecuring data 4encryption1 5 D1 Database 5ault6
5
PCI Requirements
'hat is ayment !ard "ndustry Data #ecurity #tandard 4 !" D##6 ( ,ounded by American E7press1 5isa1 *aster!ard1 Discover ,inancial #ervices1 and 8!B The standards apply to all organi9ations that store1 process or transmit cardholder data Any company processing1 storing1 or transmitting cardholder data must be !" D## compliant https://www.pcisecuritystandards.org/ 6
Build and *aintain a #ecure .etwor% rotect !ardholder Data 4encryption6 *aintain a 5ulnerability *anagement rogram "mplement #trong Access !ontrol *easures 2egularly *onitor and Test .etwor%s *aintain an "nformation #ecurity olicy
What is encryption ?
Transformation of information using encryption algorithm into a form that can not be deciphered without a decryption %ey
*ethod in which both the sender and receiver share the same %ey
10
11
The public %ey is freely distributed1 while its paired private %ey remains secret The public %ey is typically used for encryption1 while the private or secret %ey is used for decryption
12
13
14
2!; DE# 4Oracle < and =6 >DE# 4Oracle 1?6 AE# 4Oracle 116
15
DB&S'OBF(SC$TIO)'TOO*"IT
16
Synta+
DB*#+OB,-#!AT"O.+TOO/0"T$DE#>Encrypt4 input+string ". 5A2!@A2A1 %ey+string ". 5A2!@A2A1 which ". /#+".TEBE2 DE,A-/T Two0ey*ode iv+string ". 5A2!@A2A DE,A-/T .-//6 2ET-2. 5A2!@A2AC DB*#+OB,-#!AT"O.+TOO/0"T$DE#>DE!23 T4 input+string ". 5A2!@A2A1 %ey+string ". 5A2!@A2A1 which ". /#+".TEBE2 DE,A-/T Two0ey*ode iv+string ". 5A2!@A2A DE,A-/T .-//6 2ET-2. 5A2!@A2AC
17
"ey &ana%ement
#tore the %ey in the database #tore the %ey in the operating system @ave the user manage the %ey
18
DB&S'CR,PTO
2eleased in Oracle 1?$1 #upports AE# rovides automatic padding Different options for bloc% chaining #upport for !/OB and B/OB 'ill deprecate dbms+obfuscation+tool%it
19
Real *ife
Both pac%ages are complicated to use 0ey management represents a problem Encryption D decryption must be done through the application .ot used as often as it should be #olution (
20
"ntroduced in Oracle 1?$A E column encryption Enhanced in Oracle 11$1 : tablespace encryption
21
22
1allet
Default wallet location FO2A!/E+BA#EDadminDFO2A!/E+#"DDwallet Alternative location specified in s&lnet$ora wallet+location encryption+wallet+location ewallet$p1A !reated by creating a new *aster %ey) alter system set encryption %ey identified by password C /oad the *aster %ey into the database) alter system set encryption wallet open identified by passwordC
23
24
1allet &aintenance
To disable all encryption columns in database) alter system set encryption wallet closeC 'allet must be done after database restart) alter system set encryption wallet open authenticated by passwordGC Enable auto logging using 'allet *anager or m%wallet utility cwallet$sso 25
1allet Backu s
Bac% up the wallet to a secure location 4@#*61 separately from the tape bac%ups$ -se 2*A. bac%ups which automatically e7cludes the wallet$#andH$sso During the O# bac%ups e7clude files H$p1A and H$sso
26
!2EATE TAB/E employee 4name 5A2!@A2A41A<61 salary .-*BE24I6 E.!23 T6C A/TE2 TAB/E employee ADD 4ssn 5A2!@A2A4116 E.!23 T6C A/TE2 TAB/E employee *OD",3 4first+name E.!23 T6C A/TE2 TAB/E employee *OD",3 4first+name DE!23 T6C 27
Salt
!2EATE TAB/E employee 4name 5A2!@A2A41A<61 emp"D .-*BE2 E.!23 T .O #A/T1 salary .-*BE24I6 E.!23 T -#".B J>DE#1I<J6C !2EATE ".DEK employee+id7 on employee 4emp"D6C 3ou cannot create an inde7 on a column that has been encrypted with salt$ O2A:A<>><) cannot encrypt inde7ed column4s6 with salt 28
E+ ort 2 Im ort
O3erheads
M N E >M N performance overhead "nde7es are using encrypted values Each encrypted value needs A? bytes for integrity chec% Encrypted value padded to 1I bytes "f using salt1 additional 1I bytes needed .O*A! parameter s%ips integrity chec% A/TE2 TAB/E employee *OD",3 4salary E.!23 T J.O*A!J6C
30
"nde7 types other than B:tree 2ange scan search through an inde7 E7ternal large obOects 4B,"/E6 *ateriali9ed 5iew /ogs Transportable Tablespaces Original importDe7port utilities
31
TDE 4 $d3anta%es
#imple : can be done in four easy stepsP Automatically encrypts database column data before itJs written to dis% Encryption and decryption is performed through the #Q/ interface .o need for triggers to call encryption A "Js 5iews to decrypt data are completely eliminated Encryption is completely transparent to the application 32
TDE 4 Disad3anta%es
'ill not use inde7es where the search criteria re&uires a range scan where account number R 1???? or S A???? will not wor% with TDE
"nde7es not possible if using TsaltU erformance hit 2e&uires more space 33
DBA_ENCRY !ED_C"#$%N& $&ER_ENCRY !ED_C"#$%N& A##_ENCRY !ED_C"#$%N& '(R%AN_ENCRY !)"N_A#*"R)!+%& '(ENCRY !ED_!AB#E& ACE& '(ENCRY !)"N_WA##E!
34
!ompatibility L 11$?$? or higher !2EATE TAB/E# A!E encryptblspc DATA,"/E JDu?1DoradataDencryptblspc?1$dbfT #"VE A??* E.!23 T"O. -#".B J>DE#1I<T DE,A-/T #TO2ABE4E.!23 T6C DBA+TAB/E# A!E#
35
Considerations
Breat for encrypting whole tables ObOects automatically created encrypted All data encrypted including data in TE* 1 -.DO1 2EDO 4e7cept B,"/Es6 Data protected during 8O". and #O2T Allows inde7 range scan !an not encrypt e7isting tablespace -se datapump1 create table as select1 alter table move Tablespace can not be enctypted with .O #A/T option 36
E7ample
37
.ot a solution to all security problems 2epresents only one layer of Oracle security model #hould be implemented in combination with Data ump1 2*A.1 5 D and Data *as%ing !"Us re&uirement to change regularly the encryption %ey is difficult to achieve Only as safe as your wallet 'ith TDE there is no reason why your datafiles should stay unsecured 38
'hat is data encryption 'hy sensitive data should be secured using encryption Demonstrated how TDE in Oracle 11 can help DBAs to encrypt data in an elegant and easy way
40