Chapter 4. Data Encryption and Hashing


In the simplest terms, encryption means disguising data, or altering the contents in such a way that only the creator of the original data knows the secret of how to put the data back together again. This chapter describes Oracle's support for encryption, focusing on the concepts and features of most use to DBAs. The emphasis here is on the use of Oracle's built-in packages, DBMS_CRYPTO (available in releases from Oracle Database 10g Release 1 onward) and DBMS_OBFUSCATION_TOOLKIT (used primarily with earlier releases). I'll also focus on the protection of data on disk, as opposed to the protection of data being transmitted between the client and the database or the protection of data during authentication, both of which require the use of Oracle's extra-cost Advanced Security Option (ASO) . The only exception to the rule is transmission of passwords, which are always encrypted, regardless of the use of ASO.

In this chapter, you will learn how to build a basic encryption system that will protect sensitive data from access by unauthorized users. You will learn how to build a key management system that effectively protects your encryption keys while seamlessly providing the application users unrestrained access to the data. You'll also learn about cryptographic hashing and the use of Message Authentication Code (MAC). I'll also describe Transparent Data Encryption (TDE), a new feature introduced in Oracle Database 10g Release 2 that can be used to encrypt sensitive data in a way that allows you to comply with many regulations with the least amount of effort.

Oracle recommends that if you are now running Oracle Database 10g, you start using the DBMS_CRYPTO package as opposed to the older DBMS_OBFUSCATION_TOOLKIT package. However, because so many sites are still running Oracle9i Database, we'll look first at the facilities provided by that package, and then move on to the Oracle Database 10g implementation. Even if you are running the new release, you might want to read this section of the chapter first to make sure you are properly grounded in encryption concepts.

DBMS_CRYPTO offers a number of advantages over DBMS_OBFUSCATION_TOOLKIT:

  • More choices for encryption algorithms, particularly support for the newest standard, the Advanced Encryption Standard (AES)

  • The ability to do stream ciphering, which allows a stream of data to be encrypted

  • Support for the Secure Hash Algorithm 1 (SHA-1)

  • The ability to create MAC

  • Encryption of large objects (LOBs) in their native format

I'll explore all of these features in this chapter. In Appendix A, you will find a quick reference to the procedures and functions provided in the DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT packages.

This book does not discuss the details of cryptographic algorithms or the art and science of computer encryption, a field that demands much more detailed coverage than we can possibly accomplish in a book of this kind. Our objective is to get readers started on building an encryption system, using Oracle's built-in tools, not to reinvent the wheel by writing actual algorithms. For additional information on cryptoanalysis, mathematical encryption, and related topics, you can refer to the many very good, publicly available books.




Oracle PL(s)SQL For DBAs
Oracle PL(s)SQL For DBAs
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net