Chapter 6

Encryption and its application

to databases

www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬

 PCI Requirements
What is Payment Card Industry Data Security Standard
(PCI DSS) ?
Founded by American Express, Visa, MasterCard,
Discover Financial Services, and JCB
The standards apply to all organizations that store,
process or transmit cardholder data
Any company processing, storing, or transmitting
cardholder data must be PCI DSS compliant
https://www.pcisecuritystandards.org/

94
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 What is encryption ?
Transformation of information using “encryption
algorithm” into a form that can not be deciphered
without a decryption key

95
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Encryption Algorithms
Strength of encryption is usually measured by key size.
No matter how strong the algorithm, the encrypted data
can be subject to brute force attacks in which all
possible combinations of keys are tried. Eventually the
encryption can be cracked. However, an undisclosed
flaw in an algorithm or an advance in computer
technology or mathematical methods could sharply
decrease these times.
Generally, the thinking is that the key length should be
suitable for keeping the data secure for a reasonable
amount of time

96
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Two types of encryption:
 Symmetric key encryption
 Public-key (asymmetric key) encryption

97
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Symmetric Key Encryption

 Method in which both the sender and receiver

share the same key

98
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 ‫‪99‬‬
‫‪www.ub.edu.sa‬‬ ‫كلية الحاسبات وتقنية المعلومات‬
 Public Key Encryption
 The public key is freely distributed,
while its paired private key remains
secret
 The public key is typically used for
encryption, while the private or secret
key is used for decryption

100
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 ‫‪101‬‬
‫‪www.ub.edu.sa‬‬ ‫كلية الحاسبات وتقنية المعلومات‬
 Encryption Algorithms
Supported by Oracle
 RC4 (Rivest cipher) 256-bit key size
 DES (Data Encryption Standard (DES), also known
as the Data Encryption Algorithm (DEA) 56-bit
 3DES 168-bit
 AES (Advance Security Standard ) 256-bit
cipher key.

102
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 DBMS_OBFUSCATION_TOOLKIT
 First introduced in Oracle 8i
 Uses DES algorithm

103
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Key Management
 Store the key in the database
 Store the key in the operating system
 Have the user manage the key

104
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 DBMS_CRYPTO
 Released in Oracle 10.1
 Supports AES
 Provides automatic padding
 Different options for block chaining
 Support for CLOB and BLOB
 Will deprecate dbms_obfuscation_toolkit

105
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Real Life
 Both packages are complicated to use
 Key management represents a problem
 Encryption / decryption must be done
through the application
 Not used as often as it should be
 Solution ?

106
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Transparent Data Encryption (TDE)
Encyption in Oracle 12.2
– column encryption
- tablespace encryption

107
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 How is TDE Implemented?
1 Setup Wallet and Master Key
2 Identify columns with sensitive data
3 Review constraints
4 Encrypt existing and new data

108
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Wallet
Default wallet location $ORACLE_BASE/admin/$ORACLE_SID/wallet
Alternative location specified in sqlnet.ora
wallet_location
encryption_wallet_location
ewallet.p12
Created by creating a new Master key:
alter system set encryption key identified by “password “;
Load the Master key into the database:
alter system set encryption wallet open identified by “password”;

109
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 ‫‪110‬‬
‫‪www.ub.edu.sa‬‬ ‫كلية الحاسبات وتقنية المعلومات‬
 Wallet Maintenance
To disable all encryption columns in database:
alter system set encryption wallet close;
Wallet must be done after database restart:
alter system set encryption wallet open
authenticated by “password";
Enable auto logging using Wallet Manager or
mkwallet utility
cwallet.sso

111
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Column Encryption
 CREATE TABLE employee
(name VARCHAR2(128),
salary NUMBER(6) ENCRYPT);

 ALTER TABLE employee ADD (ssn VARCHAR2(11)

ENCRYPT);

 ALTER TABLE employee MODIFY (first_name

ENCRYPT);

 ALTER TABLE employee MODIFY (first_name

DECRYPT);
113
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 Salt
CREATE TABLE employee
(name VARCHAR2(128),
empID NUMBER ENCRYPT NO SALT,
salary NUMBER(6) ENCRYPT USING '3DES168');

CREATE INDEX employee_idx on employee (empID);

You cannot create an index on a column that has been

encrypted with salt.
ORA-28338: cannot encrypt indexed column(s) with salt

114
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬
 TDE - Advantages
 Simple - can be done in easy steps!
 Automatically encrypts database column data before it's
written to disk
 Encryption and decryption is performed through the SQL
interface
 No need for triggers to call encryption API's
 Views to decrypt data are completely eliminated
 Encryption is completely transparent to the application

117
www.ub.edu.sa ‫كلية الحاسبات وتقنية المعلومات‬