By Craig Moir craig@mydba.co.za http://www.mydba.co.za August 2012 Version 1
WHAT IS ENCRYPTION? Encryption is the process of transforming information, using an algorithm or an encryption key, into an unreadable or undecipherable format. Decryption is the reverse process of making encrypted information readable or decipherable again by using the same encryption key.
TERMINOLOGY Plaintext readable plain text. Cipher encryption Algorithm. Ciphertext unreadable/undecipherable text i.e. encrypted data. Key - is the parameter information that determines the functional output of a cryptographic algorithm or cipher. Data at Rest - all data stored in computer storage media. Data in Motion - data that is traversing a network or temporarily residing in computer memory to be read or updated. TDE Transparent Data Encryption.
WHY DO WE NEED DATABASE ENCRYPTION? Reason #1 - databases store data on disk in plain text format. Reason #2 - databases transmit data over a network in plain text format.
DATABASES AND PLAIN TEXT DATA Data is stored and processed in plain text in all database components i.e. disk storage, memory cache, backups, data dumps, database network communications. Data can be easily read/extracted from any database file, including backups, by using a simple editor or plain text extraction program. You don t need to login or have access to the database in order to view the data. Data can be accessed without the database being up and running. Data can be intercepted when being transmitted over the network.
SENSITIVE DATA ENCRYPTION Sensitive data needs to be encrypted within the DBMS for protection from unauthorized viewing, extraction or interception. Database encryption needs to protect data at rest, for all copies and versions of the sensitive data, including backups. Database encryption needs to protect data at motion, for sensitive data being transmitted over a network.
ORACLE ENCRYPTION There are five encryption methods available: 1. Application level encryption using the DBMS_CRYPTO packages. 2. TDE Tablespace encryption. 3. TDE Column encryption. 4. File encryption RMAN Backups & Data Dumps 5. Oracle Net Services encryption with SQL*Net.
DBMS_CRYPTO PACKAGE APPLICATION ENCRYPTION Application driven encryption. Data is encrypted/decrypted by calling functions during DML activity. Highly flexible and highly secure. Data cannot be deciphered at all without using the application packages. Requires a general level of security familiarity and/or expertise.
TDE TABLESPACE ENCRYPTION Entire tablespaces are encrypted/decrypted transparently during DML instructions. Totally transparent and independent of User or Application activity. Careful consideration is required when choosing TDE tablespace encryption to avoid serious performance overheads for large data sets. If migrating to TDE Tablespaces then data shredding may be required to remove the previous unencrypted versions of the data from disk Data is only encrypted at rest. Can make use of cryptographic hardware acceleration.
TDE COLUMN ENCRYPTION Individual table columns are encrypted/decrypted. Totally transparent and independent of User or Application activity. Ideal for limited column encryption requirements. Data is only encrypted at rest. Cannot benefit from cryptographic hardware acceleration. Storage overhead of up to 52 bytes per encrypted value.
FILE ENCRYPTION RMAN backups are encrypted. Data Pump data dumps can also be encrypted. Highly advisable for any offsite storage of database backups or dumps.
ORACLE NET SERVICES ENCRYPTION Encrypts network traffic between client computers, databases and application servers. Supports all network protocols into an Oracle database. Supports Transparent Gateway traffic encryption.
ENCRYPTION OVERHEAD Between a 5% and 20% performance degradation can be expected for TDE. Update penalty when converting to column level encryption. Up to 52 bytes of additional storage required per value for column level encryption. Logical database design considerations required for tablespace encryption to minimise performance overhead. Performance degradation for RMAN and Data Pump encryption. Performance degradation for Oracle Net Services encryption.
CRYPTOGRAPHIC HARDWARE ACCELERATION Leveraged from Intel CPUs with AES-NI (a set of New Instructions for the Advanced Encryption Standard) Also available on SPARC T4 processors. Available from Oracle 11.2.0.2 and upwards (with some restrictions). Automatically detected by Oracle. Makes TDE tablespace encryption a 'near-zero impact' encryption solution.
APPLICATIONS CERTIFIED WITH TRANSPARENT DATA ENCRYPTION TDE Tablespace Encryption TDE Column Encryption Database 11.1.0.7 and Oracle Database 11g Release 2 Oracle Database 10gR2 and 11g (10.2.0.5, 11.1.0.7 or 11.2.0.2/3 are recommended): Oracle E-Business Suite Oracle E-Business Suite Oracle PeopleSoft Enterprise 8.48 and later Oracle PeopleSoft Enterprise 8.46 and later Oracle Siebel CRM 8.0 and later Oracle Siebel CRM 7.7+ Oracle JD Edwards EnterpriseOne Oracle Financial Services (iflex): FlexCube 10.0 SAP 6.40_EX2 and later (Oracle Database 11g Release 2 only, SAP note 974876) Oracle Retail Applications (Retek): Retail Sales Audit (ReSA): RETEK Retail Sales Audit 13.1.5 o ReSA 12.0 and 13.0 (in Oracle Database 10gR2 10.2.0.4+) Primavera P6 o ReSA 13.1 (in Oracle Database 11gR1 11.1.0.7) Oracle Internet Directory 10.1.4.2 SAP 6.40 and later (SAP note 974876)
ENCRYPTION DEMO For a practical demonstration of database plain text data vulnerabilities and encryption please follow the link below: http://www.mydba.co.za/articles/encryption_demo.mp3
MyDBA CREDENTIALS
MyDBA CONSULTING SERVICES For more information on MyDBA s Database Security services please contact us on: security@mydba.co.za 0861 911 DBA +27 11 027 9400 http://www.mydba.co.za/ Disclaimer: This document is provided for information purposes only. While MyDBA has taken care to ensure that the content on this document is accurate, the information is provided "as is" and is not warranted to be error-free. Your use of and reliance on the information is entirely at your own risk. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the prior written permission of MyDBA.