1

Introduction

This presentation describes introduction of data encryption into Oracle databases and how Transparent Data Encryption in Oracle 11g can benefit DBAs in achieving compliancy with ayment !ard "ndustry Data #ecurity #tandard$
2

Content

"dentification of threats Basic framewor% of Oracle security !" re&uirements 'hat is Encryption ( Encryption in Oracle) DB*#+OB,-#!AT"O.+TOO/0"T1 DB*#+!23 TO1 TDE Demo of Transparent Data Encryption 3

Identification of Threats

'hat are the !ommon #ecurity Threats ( Eavesdropping and Data Theft Data Tampering ,alsifying -ser "dentities assword 2elated Threats

Basic Framework of Oracle Security

#ecuring database during installation #ecuring user accounts *anaging user privileges Auditing database activity #ecuring networ% #ecuring data 4encryption1 5 D1 Database 5ault6
5

PCI Requirements

'hat is ayment !ard "ndustry Data #ecurity #tandard 4 !" D##6 ( ,ounded by American E7press1 5isa1 *aster!ard1 Discover ,inancial #ervices1 and 8!B The standards apply to all organi9ations that store1 process or transmit cardholder data Any company processing1 storing1 or transmitting cardholder data must be !" D## compliant https://www.pcisecuritystandards.org/ 6

The Core Elements of DSS

Build and *aintain a #ecure .etwor% rotect !ardholder Data 4encryption6 *aintain a 5ulnerability *anagement rogram "mplement #trong Access !ontrol *easures 2egularly *onitor and Test .etwor%s *aintain an "nformation #ecurity olicy

What is encryption ?

Transformation of information using encryption algorithm into a form that can not be deciphered without a decryption %ey

Two ty es of encry tion!

#ymmetric %ey encryption ublic:%ey 4asymmetric %ey6 encryption

Symmetric "ey Encry tion

*ethod in which both the sender and receiver share the same %ey

10

11

Pu#lic "ey Encry tion

The public %ey is freely distributed1 while its paired private %ey remains secret The public %ey is typically used for encryption1 while the private or secret %ey is used for decryption

12

13

14

Encry tion $l%orithms Su orted #y Oracle

2!; DE# 4Oracle < and =6 >DE# 4Oracle 1?6 AE# 4Oracle 116

15

DB&S'OBF(SC$TIO)'TOO*"IT

"ntroduced in Oracle <i -ses DE# algorithm

16

Synta+

DB*#+OB,-#!AT"O.+TOO/0"T$DE#>Encrypt4 input+string ". 5A2!@A2A1 %ey+string ". 5A2!@A2A1 which ". /#+".TEBE2 DE,A-/T Two0ey*ode iv+string ". 5A2!@A2A DE,A-/T .-//6 2ET-2. 5A2!@A2AC DB*#+OB,-#!AT"O.+TOO/0"T$DE#>DE!23 T4 input+string ". 5A2!@A2A1 %ey+string ". 5A2!@A2A1 which ". /#+".TEBE2 DE,A-/T Two0ey*ode iv+string ". 5A2!@A2A DE,A-/T .-//6 2ET-2. 5A2!@A2AC

17

"ey &ana%ement

#tore the %ey in the database #tore the %ey in the operating system @ave the user manage the %ey

18

DB&S'CR,PTO

2eleased in Oracle 1?$1 #upports AE# rovides automatic padding Different options for bloc% chaining #upport for !/OB and B/OB 'ill deprecate dbms+obfuscation+tool%it
19

Real *ife

Both pac%ages are complicated to use 0ey management represents a problem Encryption D decryption must be done through the application .ot used as often as it should be #olution (
20

Trans arent Data Encry tion -TDE.

"ntroduced in Oracle 1?$A E column encryption Enhanced in Oracle 11$1 : tablespace encryption

21

/ow is TDE Im lemented0

1 A > ; #etup 'allet and *aster 0ey "dentify columns with sensitive data 2eview constraints Encrypt e7isting and new data

22

1allet

Default wallet location FO2A!/E+BA#EDadminDFO2A!/E+#"DDwallet Alternative location specified in s&lnet$ora wallet+location encryption+wallet+location ewallet$p1A !reated by creating a new *aster %ey) alter system set encryption %ey identified by password C /oad the *aster %ey into the database) alter system set encryption wallet open identified by passwordC

23

24

1allet &aintenance

To disable all encryption columns in database) alter system set encryption wallet closeC 'allet must be done after database restart) alter system set encryption wallet open authenticated by passwordGC Enable auto logging using 'allet *anager or m%wallet utility cwallet$sso 25

1allet Backu s

Bac% up the wallet to a secure location 4@#*61 separately from the tape bac%ups$ -se 2*A. bac%ups which automatically e7cludes the wallet$#andH$sso During the O# bac%ups e7clude files H$p1A and H$sso
26

Column Encry tion

!2EATE TAB/E employee 4name 5A2!@A2A41A<61 salary .-*BE24I6 E.!23 T6C A/TE2 TAB/E employee ADD 4ssn 5A2!@A2A4116 E.!23 T6C A/TE2 TAB/E employee *OD",3 4first+name E.!23 T6C A/TE2 TAB/E employee *OD",3 4first+name DE!23 T6C 27

Salt

!2EATE TAB/E employee 4name 5A2!@A2A41A<61 emp"D .-*BE2 E.!23 T .O #A/T1 salary .-*BE24I6 E.!23 T -#".B J>DE#1I<J6C !2EATE ".DEK employee+id7 on employee 4emp"D6C 3ou cannot create an inde7 on a column that has been encrypted with salt$ O2A:A<>><) cannot encrypt inde7ed column4s6 with salt 28

E+ ort 2 Im ort

*ust use Datapump

expdp hr TABLES=emp DIRECTORY=dpump_dir DUMPFILE=dumpemp.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ENCRYPTION_PASSWORD=p !e"#r$p% impdp hr TABLES=emp&'$ee_d(%( DIRECTORY=dpump_dir DUMPFILE= dumpemp.dmp ENCRYPTION_PASSWORD=p !e"#r$p%

E.!23 T"O.+*ODELD-A/ E.!23 T"O.+*ODELT2A.# 29 A2E.T

O3erheads

M N E >M N performance overhead "nde7es are using encrypted values Each encrypted value needs A? bytes for integrity chec% Encrypted value padded to 1I bytes "f using salt1 additional 1I bytes needed .O*A! parameter s%ips integrity chec% A/TE2 TAB/E employee *OD",3 4salary E.!23 T J.O*A!J6C

30

Incom ati#le Features

"nde7 types other than B:tree 2ange scan search through an inde7 E7ternal large obOects 4B,"/E6 *ateriali9ed 5iew /ogs Transportable Tablespaces Original importDe7port utilities
31

TDE 4 $d3anta%es

#imple : can be done in four easy stepsP Automatically encrypts database column data before itJs written to dis% Encryption and decryption is performed through the #Q/ interface .o need for triggers to call encryption A "Js 5iews to decrypt data are completely eliminated Encryption is completely transparent to the application 32

TDE 4 Disad3anta%es
'ill not use inde7es where the search criteria re&uires a range scan where account number R 1???? or S A???? will not wor% with TDE

"nde7es not possible if using TsaltU erformance hit 2e&uires more space 33

Data Dictionary 5iews

DBA_ENCRY !ED_C"#$%N& $&ER_ENCRY !ED_C"#$%N& A##_ENCRY !ED_C"#$%N& '(R%AN_ENCRY !)"N_A#*"R)!+%& '(ENCRY !ED_!AB#E& ACE& '(ENCRY !)"N_WA##E!

34

Ta#les ace Encry tion

!ompatibility L 11$?$? or higher !2EATE TAB/E# A!E encryptblspc DATA,"/E JDu?1DoradataDencryptblspc?1$dbfT #"VE A??* E.!23 T"O. -#".B J>DE#1I<T DE,A-/T #TO2ABE4E.!23 T6C DBA+TAB/E# A!E#
35

Considerations

Breat for encrypting whole tables ObOects automatically created encrypted All data encrypted including data in TE* 1 -.DO1 2EDO 4e7cept B,"/Es6 Data protected during 8O". and #O2T Allows inde7 range scan !an not encrypt e7isting tablespace -se datapump1 create table as select1 alter table move Tablespace can not be enctypted with .O #A/T option 36

Trans arent Data Encry tion cont6

E7ample

37

Encry tion in Practice

.ot a solution to all security problems 2epresents only one layer of Oracle security model #hould be implemented in combination with Data ump1 2*A.1 5 D and Data *as%ing !"Us re&uirement to change regularly the encryption %ey is difficult to achieve Only as safe as your wallet 'ith TDE there is no reason why your datafiles should stay unsecured 38

This resentation e+ lained!

'hat is data encryption 'hy sensitive data should be secured using encryption Demonstrated how TDE in Oracle 11 can help DBAs to encrypt data in an elegant and easy way

'ith Oracle 11g there is no reason to fail !" audit P

39

40