Oracle Data Encryption презентация

Ноябрь 21, 2021

Главная
Информатика
Oracle Data Encryption

Содержание

2. Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption”
3. Content Identification of threats Basic framework of Oracle security PCI requirements What is Encryption ? Encryption
4. Identification of Threats What are the Common Security Threats ? Eavesdropping and Data Theft Data Tampering
5. Basic Framework of Oracle Security Securing database during installation Securing user accounts Managing user privileges Auditing
6. PCI Requirements What is Payment Card Industry Data Security Standard (PCI DSS) ? Founded by American
7. The Core Elements of DSS Build and Maintain a Secure Network Protect Cardholder Data (encryption) Maintain
8. What is encryption ? Transformation of information using “encryption algorithm” into a form that can not
9. Two types of encryption: Symmetric key encryption Public-key (asymmetric key) encryption
10. Symmetric Key Encryption Method in which both the sender and receiver share the same key
12. Public Key Encryption The public key is freely distributed, while its paired private key remains secret
15. Encryption Algorithms Supported by Oracle RC4 DES (Oracle 8 and 9) 3DES (Oracle 10) AES (Oracle
16. DBMS_OBFUSCATION_TOOLKIT Introduced in Oracle 8i Uses DES algorithm
17. Syntax DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt( input_string IN VARCHAR2, key_string IN VARCHAR2, which IN PLS_INTEGER DEFAULT TwoKeyMode iv_string IN VARCHAR2
18. Key Management Store the key in the database Store the key in the operating system Have
19. DBMS_CRYPTO Released in Oracle 10.1 Supports AES Provides automatic padding Different options for block chaining Support
20. Real Life Both packages are complicated to use Key management represents a problem Encryption / decryption
21. Transparent Data Encryption (TDE) Introduced in Oracle 10.2 – column encryption Enhanced in Oracle 11.1 -
22. How is TDE Implemented? 1 Setup Wallet and Master Key 2 Identify columns with sensitive data
23. Wallet Default wallet location $ORACLE_BASE/admin/$ORACLE_SID/wallet Alternative location specified in sqlnet.ora wallet_location encryption_wallet_location ewallet.p12 Created by creating
25. Wallet Maintenance To disable all encryption columns in database: alter system set encryption wallet close; Wallet
26. Wallet Backups Back up the wallet to a secure location (HSM), separately from the tape backups.
27. Column Encryption CREATE TABLE employee (name VARCHAR2(128), salary NUMBER(6) ENCRYPT); ALTER TABLE employee ADD (ssn VARCHAR2(11)
28. Salt CREATE TABLE employee (name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168');
29. Export / Import Must use Datapump expdp hr TABLES=emp DIRECTORY=dpump_dir DUMPFILE=dumpemp.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ENCRYPTION_PASSWORD=pw2encrypt impdp hr TABLES=employee_data
30. Overheads 5 % – 35 % performance overhead Indexes are using encrypted values Each encrypted value
31. Incompatible Features Index types other than B-tree Range scan search through an index External large objects
32. TDE - Advantages Simple - can be done in four easy steps! Automatically encrypts database column
33. TDE - Disadvantages Will not use indexes where the search criteria requires a range scan “where
34. Data Dictionary Views DBA_ENCRYPTED_COLUMNS USER_ENCRYPTED_COLUMNS ALL_ENCRYPTED_COLUMNS V$RMAN_ENCRYPTION_ALGORITHMS V$ENCRYPTED_TABLESPACES V$ENCRYPTION_WALLET
35. Tablespace Encryption Compatibility = 11.0.0 or higher CREATE TABLESPACE encryptblspc DATAFILE '/u01/oradata/encryptblspc01.dbf‘ SIZE 200M ENCRYPTION USING
36. Considerations Great for encrypting whole tables Objects automatically created encrypted All data encrypted including data in
37. Transparent Data Encryption cont. Example
38. Encryption in Practice Not a solution to all security problems Represents only one layer of Oracle
39. This presentation explained: What is data encryption Why sensitive data should be secured using encryption Demonstrated
41. Скачать презентацию

Introduction
This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption”

in Oracle 11g can benefit DBAs in achieving compliancy with Payment Card Industry Data Security Standard.

Content
Identification of threats
Basic framework of Oracle security
PCI requirements
What is Encryption

?
Encryption in Oracle: DBMS_OBFUSCATION_TOOLKIT, DBMS_CRYPTO,
TDE
Demo of Transparent Data Encryption

Identification of Threats
What are the Common Security Threats ?
Eavesdropping and Data Theft
Data Tampering
Falsifying

User Identities
Password Related Threats

Basic Framework of Oracle Security
Securing database during installation
Securing user accounts
Managing user privileges
Auditing database

activity
Securing network
Securing data (encryption, VPD, Database Vault)

PCI Requirements
What is Payment Card Industry Data Security Standard (PCI DSS) ?
Founded by

American Express, Visa, MasterCard, Discover Financial Services, and JCB
The standards apply to all organizations that store, process or transmit cardholder data
Any company processing, storing, or transmitting cardholder data must be PCI DSS compliant
https://www.pcisecuritystandards.org/

Слайд 7

The Core Elements of DSS
Build and Maintain a Secure Network
Protect Cardholder Data

(encryption)
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy

Слайд 8

What is encryption ?
Transformation of information using “encryption algorithm” into a form that

can not be deciphered without a decryption key

Слайд 9

Two types of encryption:
Symmetric key encryption
Public-key (asymmetric key) encryption

Слайд 10

Symmetric Key Encryption
Method in which both the sender and receiver share the same

key

Слайд 11

Слайд 12

Public Key Encryption
The public key is freely distributed, while its paired private key

remains secret
The public key is typically used for encryption, while the private or secret key is used for decryption

Слайд 13

Слайд 14

Слайд 15

Encryption Algorithms Supported by Oracle
RC4
DES (Oracle 8 and 9)
3DES (Oracle 10)
AES (Oracle

11)

Слайд 16

DBMS_OBFUSCATION_TOOLKIT
Introduced in Oracle 8i
Uses DES algorithm

Слайд 17

Syntax
DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt( input_string IN VARCHAR2,
key_string IN VARCHAR2,
which IN PLS_INTEGER DEFAULT TwoKeyMode iv_string

IN VARCHAR2 DEFAULT NULL) RETURN VARCHAR2;
DBMS_OBFUSCATION_TOOLKIT.DES3DECRYPT( input_string IN VARCHAR2,
key_string IN VARCHAR2,
which IN PLS_INTEGER DEFAULT TwoKeyMode iv_string IN VARCHAR2 DEFAULT NULL) RETURN VARCHAR2;

Слайд 18

Key Management
Store the key in the database
Store the key in the operating

system
Have the user manage the key

Слайд 19

DBMS_CRYPTO
Released in Oracle 10.1
Supports AES
Provides automatic padding
Different options for block chaining
Support for

CLOB and BLOB
Will deprecate dbms_obfuscation_toolkit

Слайд 20

Real Life
Both packages are complicated to use
Key management represents a problem
Encryption / decryption

must be done through the application
Not used as often as it should be
Solution ?

Слайд 21

Transparent Data Encryption (TDE)
Introduced in Oracle 10.2
– column encryption
Enhanced in Oracle 11.1
- tablespace

encryption

Слайд 22

How is TDE Implemented?
1 Setup Wallet and Master Key
2 Identify columns with sensitive data
3 Review

constraints
4 Encrypt existing and new data

Слайд 23

Wallet
Default wallet location $ORACLE_BASE/admin/$ORACLE_SID/wallet
Alternative location specified in sqlnet.ora
wallet_location
encryption_wallet_location
ewallet.p12
Created by creating

a new Master key:
alter system set encryption key identified by “password “;
Load the Master key into the database:
alter system set encryption wallet open identified by “password”;

Слайд 24

Слайд 25

Wallet Maintenance
To disable all encryption columns in database: alter system set encryption wallet

close;
Wallet must be done after database restart:
alter system set encryption wallet open authenticated by “password";
Enable auto logging using Wallet Manager or mkwallet utility
cwallet.sso

Слайд 26

Wallet Backups
Back up the wallet to a secure location (HSM), separately from the

tape backups.
Use RMAN backups which automatically excludes the wallet.Sand*.sso
During the OS backups exclude files *.p12 and *.sso

Слайд 27

Column Encryption
CREATE TABLE employee
(name VARCHAR2(128),
salary NUMBER(6) ENCRYPT);
ALTER TABLE employee ADD

(ssn VARCHAR2(11) ENCRYPT);
ALTER TABLE employee MODIFY (first_name ENCRYPT);
ALTER TABLE employee MODIFY (first_name DECRYPT);

Слайд 28

Salt
CREATE TABLE employee
(name VARCHAR2(128),
empID NUMBER ENCRYPT NO SALT,
salary NUMBER(6)

ENCRYPT USING '3DES168');
CREATE INDEX employee_idx on employee (empID);
You cannot create an index on a column that has been encrypted with salt.
ORA-28338: cannot encrypt indexed column(s) with salt

Слайд 29

Export / Import
Must use Datapump
expdp hr TABLES=emp DIRECTORY=dpump_dir
DUMPFILE=dumpemp.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ENCRYPTION_PASSWORD=pw2encrypt
impdp hr

TABLES=employee_data DIRECTORY=dpump_dir
DUMPFILE= dumpemp.dmp ENCRYPTION_PASSWORD=pw2encrypt
ENCRYPTION_MODE=DUAL
ENCRYPTION_MODE=TRANSPARENT

Слайд 30

Overheads
5 % – 35 % performance overhead
Indexes are using encrypted values
Each encrypted value

needs 20 bytes for integrity check
Encrypted value padded to 16 bytes
If using salt, additional 16 bytes needed
NOMAC parameter skips integrity check
ALTER TABLE employee MODIFY (salary ENCRYPT 'NOMAC');

Слайд 31

Incompatible Features
Index types other than B-tree
Range scan search through an index
External large objects

(BFILE)
Materialized View Logs
Transportable Tablespaces
Original import/export utilities

Слайд 32

TDE - Advantages
Simple - can be done in four easy steps!
Automatically encrypts database

column data before it's written to disk
Encryption and decryption is performed through the SQL interface
No need for triggers to call encryption API's
Views to decrypt data are completely eliminated
Encryption is completely transparent to the application

Слайд 33

TDE - Disadvantages
Will not use indexes where the search criteria requires a range

scan
“where
account number > 10000 or < 20000” will not work with TDE
Indexes not possible if using ‘salt’
Performance hit
Requires more space

Слайд 34

Data Dictionary Views
DBA_ENCRYPTED_COLUMNS
USER_ENCRYPTED_COLUMNS
ALL_ENCRYPTED_COLUMNS
V$RMAN_ENCRYPTION_ALGORITHMS
V$ENCRYPTED_TABLESPACES
V$ENCRYPTION_WALLET

Слайд 35

Tablespace Encryption
Compatibility = 11.0.0 or higher
CREATE TABLESPACE encryptblspc DATAFILE '/u01/oradata/encryptblspc01.dbf‘ SIZE 200M ENCRYPTION

USING '3DES168‘ DEFAULT STORAGE(ENCRYPT);
DBA_TABLESPACES

Слайд 36

Considerations
Great for encrypting whole tables
Objects automatically created encrypted
All data encrypted including data in

TEMP, UNDO, REDO (except BFILEs)
Data protected during JOIN and SORT
Allows index range scan
Can not encrypt existing tablespace
Use datapump, “create table as select”, “alter table move”
Tablespace can not be enctypted with NO SALT option

Слайд 37

Transparent Data Encryption cont.
Example

Слайд 38

Encryption in Practice
Not a solution to all security problems
Represents only one layer of

Oracle security model
Should be implemented in combination with Data Pump, RMAN, VPD and Data Masking
PCI’s requirement to change regularly the encryption key is difficult to achieve
Only as safe as your wallet
With TDE there is no reason why your datafiles should stay unsecured

Слайд 39

This presentation explained:
What is data encryption
Why sensitive data should be secured

using encryption
Demonstrated how TDE in Oracle 11 can help DBAs to encrypt data in an elegant and easy way
With Oracle 11g there is no reason to fail PCI audit !

Oracle Data Encryption презентация

Содержание

IntroductionThis presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption”

Content Identification of threats Basic framework of Oracle securityPCI requirements What is Encryption

Identification of ThreatsWhat are the Common Security Threats ?Eavesdropping and Data TheftData TamperingFalsifying

Basic Framework of Oracle SecuritySecuring database during installationSecuring user accountsManaging user privilegesAuditing database

PCI RequirementsWhat is Payment Card Industry Data Security Standard (PCI DSS) ?Founded by

The Core Elements of DSSBuild and Maintain a Secure Network Protect Cardholder Data

What is encryption ? Transformation of information using “encryption algorithm” into a form that

Two types of encryption:Symmetric key encryptionPublic-key (asymmetric key) encryption

Symmetric Key EncryptionMethod in which both the sender and receiver share the same

Public Key EncryptionThe public key is freely distributed, while its paired private key

Encryption Algorithms Supported by OracleRC4 DES (Oracle 8 and 9)3DES (Oracle 10)AES (Oracle

DBMS_OBFUSCATION_TOOLKITIntroduced in Oracle 8i Uses DES algorithm

SyntaxDBMS_OBFUSCATION_TOOLKIT.DES3Encrypt( input_string IN VARCHAR2, key_string IN VARCHAR2, which IN PLS_INTEGER DEFAULT TwoKeyMode iv_string

Key ManagementStore the key in the database Store the key in the operating

DBMS_CRYPTO Released in Oracle 10.1Supports AESProvides automatic paddingDifferent options for block chainingSupport for

Real LifeBoth packages are complicated to useKey management represents a problemEncryption / decryption

Transparent Data Encryption (TDE)Introduced in Oracle 10.2 – column encryptionEnhanced in Oracle 11.1 - tablespace

How is TDE Implemented?1 Setup Wallet and Master Key2 Identify columns with sensitive data3 Review

WalletDefault wallet location $ORACLE_BASE/admin/$ORACLE_SID/walletAlternative location specified in sqlnet.ora wallet_location encryption_wallet_locationewallet.p12Created by creating

Wallet MaintenanceTo disable all encryption columns in database: alter system set encryption wallet

Wallet BackupsBack up the wallet to a secure location (HSM), separately from the

Column EncryptionCREATE TABLE employee (name VARCHAR2(128), salary NUMBER(6) ENCRYPT);ALTER TABLE employee ADD

SaltCREATE TABLE employee (name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6)

Export / ImportMust use Datapumpexpdp hr TABLES=emp DIRECTORY=dpump_dir DUMPFILE=dumpemp.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ENCRYPTION_PASSWORD=pw2encryptimpdp hr

Overheads5 % – 35 % performance overheadIndexes are using encrypted valuesEach encrypted value

Incompatible FeaturesIndex types other than B-treeRange scan search through an indexExternal large objects

TDE - AdvantagesSimple - can be done in four easy steps!Automatically encrypts database

TDE - DisadvantagesWill not use indexes where the search criteria requires a range

Data Dictionary Views DBA_ENCRYPTED_COLUMNS USER_ENCRYPTED_COLUMNSALL_ENCRYPTED_COLUMNS V$RMAN_ENCRYPTION_ALGORITHMS V$ENCRYPTED_TABLESPACES V$ENCRYPTION_WALLET

Tablespace EncryptionCompatibility = 11.0.0 or higherCREATE TABLESPACE encryptblspc DATAFILE '/u01/oradata/encryptblspc01.dbf‘ SIZE 200M ENCRYPTION

ConsiderationsGreat for encrypting whole tablesObjects automatically created encryptedAll data encrypted including data in

Transparent Data Encryption cont.Example

Encryption in PracticeNot a solution to all security problemsRepresents only one layer of

This presentation explained: What is data encryption Why sensitive data should be secured

Похожие презентации