Oracle Transparent Data Encryption

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.
2007
<Insert Picture Here>
Transparent Data Encryption

DOAG Special Interest Day ORACLE and SAP June 2007
Andreas Becker
Senior Member Technical Staff
Oracle Server Technologies - SAP Development
Agenda
Transparent Data Encryption <Insert Picture Here>
Technical Overview
Demo
Technical Restrictions / Recommendations
Configuration and Support in SAP Environments
Alternatives
RMAN Backup Encryption
Oracle Secure Backup
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Encryption
Network Encryption <Insert Picture Here>
Encryption of data in motion

Encryption of data at rest
<Insert Picture Here> JP Morgan Client Data Loss
The Wall Street Journal,
May 2007
JP Morgan Chase has alerted thousands

of its Chicago-area millionaire clients, as
well as some of its own employees, that it
cannot locate a computer tape containing
their account information and Social
Security numbers.
The Need for Encryption
Worldwide privacy, security laws and regulations

Sarbanes-Oxley
PCI (Payment Card Industry)
California SB 1386 (Nationwide soon?)
Country-specific laws
Disks replaced Data worthless if encrypted

Customer Credit for maintenance
Card Numbers Laptops stolen
Backups lost
Database Encryption
Release < 10.2
Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL
API for encrypting data in the Enterprise Edition
DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g
DBMS_CRYPTO in Oracle Database 10g

Application calls PL/SQL API to perform encryption

Typically requires database triggers, database views

No automated key management
Note that most 3rd party solutions today create triggers and

views to make their encryption solution look transparent
Oracle encryption APIs are used by customers today to encrypt
credit card numbers
What our customers wanted
Privacy / regulatory compliance

(SB 1386, CISP/PCI)
Protection for data on backup tapes
Additional protection against operating system / data
file theft
Media theft / disk replacement
Let the database handle all aspects of encryption,
not the application
Make it easy and secure
Integrated with the Oracle database for simplicity

Alter table encrypt column
Provides application transparency
No API calls, database triggers, or views required
Media protection of PII data
Social security numbers
Credit card numbers
Performance
Works with existing indexes for
equality searches
TDE Key Features
Encryption / decryption inside the database

Simple SQL Syntax:
SQL> ALTER TABLE customers MODIFY
(creditcardno ENCRYPT);
Requires Advanced Security Option!
Only with Oracle Enterprise Edition
TDE Keys are managed by Oracle
Protects unauthorized access to database on file
system level / OS level
TDE Key Features
Simply and easy encryption of sensitive data

Views or triggers are NOT needed
Protects confidential data without the
overhead of key management
Data on disk is encrypted, but decryption is
transparent for the application
Overview the Big Picture
Oracle Advanced Security

Strong Authentication

Network Encryption
Data Data Oracle
Automatically Written Advanced
Decrypted To Disk
Through Security
Automatically
SQL Interface Encrypted Transparent
Data Encryption
Data Encrypted
On Backup Files
Separation of duties
Wallet password is separate from

system or DBA password
No access
to wallet
DBA starts up
database
Security DBA opens wallet

containing master key
Master key and column keys
Column keys encrypted

by master key
Master key stored

in PKCS#12 wallet
Security DBA opens wallet

containing master key Column keys encrypt
data in columns
Configuration steps
5 steps to setup TDE:

1. Identify tables and columns containing sensitive
data
2. Does TDE support the datatype of the column?
3. Is column part of a foreign key?
(should not be relevant in SAP environments)
4. Setup and initialize wallet and master key
5. Encrypt existing data and new data in encrypted
table column
D E M O N S T R A T I O N
Transparent Data
Encryption (TDE)
Prepare the Database
Create a wallet and generate the master key

alter system set key identified by e3car61
Open the wallet:

alter system set wallet open identified by e3car61
Encrypting columns
Encrypt a column in an existing table:

alter table credit_rating modify (person_id encrypt);
Create a new table with an encrypted column:

create table orders (
order_id number(12),
customer_id number(12),
credit_card varchar2(16) encrypt);
Which algorithms are used?
Default: AES with 192 bits:

alter table credit_rating modify (person_id encrypt)
Example with other algorithms:

create table employee (
first_name varchar2(64),
last_name varchar2(64),
empID NUMBER encrypt using AES256,
salary NUMBER(6) encrypt using AES256)
TDE Available Algorithms
Triple DES (Data Encryption Standard) 3DES168

AES (Advanced Encryption Standard) AES128
AES192 (default)
AES256
Performance?
Equality searches possible when not salted

Alter table credit_rating modify Encrypt
(person_id encrypt no salt)
person_id
Create index person_id_idx on credit_rating (PERSON_ID)
Select score from credit_rating where PERSON_ID='235901';
Performance?

Alter table credit_rating modify Create index over
encrypted column
Select score from credit_rating where PERSON_ID='235901';
Performance?

Alter table credit_rating modify
Select score from credit_rating where Application remains

PERSON_ID='235901';
unchanged
Overhead
Storage
33-48 Bytes per row per encrypted column
Performance
~5%
Very customer/system-specific
Depends on
# tables
Size of tables
How tables are accessed
SALT vs. NO SALT
SALT
A random string is added to clear text before it is encrypted
Multiple occurrences of same clear text appear different when
encrypted with salt
Increased security
Against pattern matching attack from hackers
But: encrypted columns which are part of an index must be
encrypted with NO SALT
Change Wallet Password
Wallet password is independent from
Master key
Column keys
SYSTEM password
SYS password
Wallet manager supports password policy
At least 8 characters
Must contain number or special characters
Export of table data
Export of encrypted data is only supported with data
pump:
Using exp utility:
EXP-00107: Feature (string) of column string in table
string.string is not supported. The table will not be exported.
Using expdp data pump without encryption
password:
ORA-39173: Encrypted data has been stored unencrypted in
dump file set.
Using expdp data pump with encryption password:
OK
TDE Administration
SQL> desc dba_encrypted_columns

Name Null? Type
------------------------ -------- -------------
OWNER NOT NULL VARCHAR2(30)
TABLE_NAME NOT NULL VARCHAR2(30)
COLUMN_NAME NOT NULL VARCHAR2(30)
ENCRYPTION_ALG VARCHAR2(29)
SALT VARCHAR2(3)
When you loose your wallet
Loosing your wallet is the most secure way to delete
your data
A wallet cannot be recovered (even with the same
wallet password)
Wallet password and master key are not related
Recommendation: back up your wallet frequently
After change of wallet password
After change of master key
After column rekey
Perform change of master key (master rekey) offline
Re-key the master key
Security policy might require periodic update

Command:
alter system set key identified by 2naf1sh
Password and master key are independent

Re-encrypts all column keys
Re-keying the column keys
Without changing the encryption algorithm:

ALTER TABLE employee REKEY;
Re-key the column key and change the algorithm:

ALTER TABLE employee REKEY USING 'AES256';
Change the algorithm, without re-keying the column

keys:
ALTER TABLE employee ENCRYPT USING 'AES128';
TDE and Data Guard
Production Database
Physical Standby
Data Encrypted
On Backup Files
Redo apply
redo logs contain
encrypted data
Supported data types
varchar2
nvarchar2
number
date
binary_float (*)
binary_double (*)
timestamp
raw
char
nchar
interval day to second
interval year to month
TDE - Unsupported data types
LONG/LONG RAW
LOB/BLOB
SQL> create table test (c1 long encrypt)

* ORA-28330: encryption is not allowed for this data type
TDE - Unsupported database features
Materialized View logs

Streams
Sync and async CDC (Change Data Capture)
Direct path insert
LOBs
Transportable Tablespaces
TDE - restrictions
Transparent Data Encryption does not work with the

following database features
Index types other than B-tree
Range scan search through an index
Large object datatypes such as BLOB and CLOB
Original import / export utilities
Other database tools and utilities that directly access data
files
How Oracle Advanced Security helps with
CISP/PCI
Section 3.4: Render sensitive cardholder information

unreadable anywhere it is stored
Transparent Data Encryption, part of the Oracle
Advanced Security Option, encrypts any column with
3DES 128 bit or AES256, as required.
Both TDE and Network Encryption, part of the Oracle
Advanced Security Option, provide SHA-1 for hashing
CISP/PCI
Section 3.5 (incl. 3.5.1. and 3.5.2.): Protect encryption

keys against both disclosure and misuse, restrict
access and store securely.
Transparent Data Encryption stores the master key in
the Oracle Wallet, and the encrypted column keys in
the database
Intruder would need access to OS file to get to wallet
and database access to get to encrypted column
keys.
CISP/PCI
Section 4: Encrypt transmission of cardholder and

sensitive information across public networks:
Network Encryption, part of ASO, provides encryption
of all traffic between Oracle Database and Oracle
Application Server
Recommendations
Do not misuse TDE as an authorization

method
Do not encrypt all your data only data
that needs to be protected
Recommendations (contd)
NEVER LOOSE YOUR WALLET!!

WITHOUT WALLET DATA LOSS
BACK UP YOUR WALLET!!
WITHOUT CURRENT WALLET DATA LOSS
NEVER FORGET YOUR WALLET PASSWORD!
WITHOUT WALLET PASSWORD DATA LOSS
Rekey Operations
Rekey master key: how often?
Depends on regulations (SB1386, Sarbanes-Oxley)
Regularly, but not too often (~once a year)
Maximum number of TDE master keys is limited due to
limited wallet size
10.2.0.2: max wallet size=64k (~240 master keys)
10.2.0.4: max wallet size=4M (>15M )
Rekey column Key:
Depending on your regulations
Full table update
Wallet Management
Wallet password
Initially set when wallet is created
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED
BY <wallet password>;
Can be changed only in wallet manager (not via SQL or command
line tool)
Re Key (=generate new) masterkey
Via SQL: SQL> alter system set encryption key
Not from wallet manager
Backup your wallet
Backup of wallet must be part of your backup / recovery strategy
After change of wallet password
After every rekey operation
Wallet Management
One encryption wallet per database
Do not use autologin wallet
No support for multiple encryption_wallet_location
Only one wallet location in sqlnet.ora
TDE in an SAP environment
TDE Candidates
Do NOT encrypt tables belonging to SAP core

application
SAP system should be startable without wallet
Do not encrypt tables used by BR*Tools
Do not encrypt all tables (~100 should be enough)
When column is used in an index non-salted
TDE Support in SAP BR*TOOLS
ENCRYPTION_WALLET_LOCATION parameter
must be configured in sqlnet.ora to override Oracle
default path
Location of encryption wallet in SAP environment:
$ORACLE_HOME/dbs (Unix)
%ORACLE_HOME%\database (Windows)
BR*Tools support backup and restore of encryption
wallet ewallet.p12
Prerequisite: encryption wallet exists in
$ORACLE_HOME/dbs resp. %ORACLE_HOME%\database
Auto-Login encryption wallet (cwallet.sso, if exist) will
not get backed up by BR*Tools
TDE Support in SAP Dictionary
No support for TDE in SAP dictionary at the moment
Alternate Solutions
Instead of using TDE encryption you could also use

one of the following options:
RMAN Backup Encryption (ASO required)
currently under evaluation
RMAN now creates encrypted backups that cannot be
restored by unauthorized people
Oracle Secure Backup (OSB)
OSB provides an optimized, highly efficient tape backup
solution for the Oracle Database. OSB can store data on tape
in encrypted form, providing protection against theft of backup
tapes.
Integrated tape backup:

Oracle Databases File System Data
Oracle database
Operating system files UNIX Linux
Encryption of data to tape RMAN Windows NAS
Data at-rest protection
Tape data protection
At the lowest cost
Centralized Tape Backup Management
Why Oracle Secure Backup?
Encryption of data to tape

Protects against misuse of business data
Oracle database manages encryption keys
Certificate based authentication
Outside parties cannot impersonate host
Reduces cost of secure tape backups
Only $3,000 per tape device
Runs on Linux, Windows & UNIX
Supports over 200 tape devices
RMAN Backup Encryption
Oracle Recovery Manager (RMAN)

RMAN
Oracle default tool for database backups
To disk or tape (MML) Database
Flash
Recovery
Encryption of Backup Area Area
Advanced Encryption Standard (AES)

Authentication: via user-defined
password or via Oracle Wallet
ASO required
Media Management Layer
DIGITAL DATA STORAGE DIGITAL DATA STORAGE DIGITAL DATA STORAGE
TDE OSB RMAN Backup
Encryption
TDE
Encryption of sensible data in database files on OS / file-system level
Encryption of sensible data in backups (disk and tape)
Encryption of sensible data in archive logs (LogMiner)
ASO license required
Oracle Secure Backup (OSB)
Encryption of backups to tape only (not backup to disk)
No encryption of sensible data in database files
No encryption of sensible data in archive logs
Requires separate OSB license
RMAN Backup Encryption (ASO required)
Encryption of backups to disk and to tape
No encryption of sensible data in database files
No encryption of sensible data in archive logs
ASO license required
For More Information
http://search.oracle.com
Advanced Security
Oracle Database Security Checklist
or
http://www.oracle.com/security
SAP Notes
http://service.sap.com/notes
974876: Transparent Data Encryption
973450: Network Encryption
Oracle Metalink Notes
https://metalink.oracle.com/
Note 317311.1: 10g R2 New Feature TDE:
Note 317317.1: How to Export/Import with Data
Encrypted with Transparent Data Encryption (TDE)
Oracle Technology Network
Oracle Database 10g

http://www.oracle.com/technology/products/database/oracle10g/
index.html
Oracle Database Security
http://www.oracle.com/technology/deploy/security/database-
security/index.html
security/advanced-security/index.html
Oracle Advanced Security Transparent Data Encryption TDE
security/transparent-data-encryption/index.html
Oracle Technology Network
TDE Frequently Asked Questions (FAQ)

security/transparent-data-encryption/tde_faq.html
ASO Data Sheet
security/pdf/ds_security_db_advancedsecurity_10gR2_062006.p
df
http://www.oracle.com/database/secure-backup.html
Oracle Security Checklist
http://www.oracle.com/technology/deploy/security/pdf/
twp_security_checklist_db_database.pdf
DOAG e.V. Server
Deutsche ORACLE-Anwendergruppe e.V.

Special Interest Days: Oracle + SAP
http://www.doag.org/public/sig/sap/
TDE
Pilot Customers
Wanted

Oracle Transparent Data Encryption

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Oracle Transparent Data Encryption

Încărcat de

Drepturi de autor:

Formate disponibile

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.

Transparent Data Encryption

Transparent Data Encryption <Insert Picture Here>

Network Encryption <Insert Picture Here>

Encryption of data in motion

JP Morgan Chase has alerted thousands

Worldwide privacy, security laws and regulations

Disks replaced Data worthless if encrypted

Privacy / regulatory compliance

Integrated with the Oracle database for simplicity

Encryption / decryption inside the database

Simply and easy encryption of sensitive data

Oracle Advanced Security

Oracle Advanced Security

Wallet password is separate from

Security DBA opens wallet

Column keys encrypted

Master key stored

Security DBA opens wallet

5 steps to setup TDE:

Create a wallet and generate the master key

Open the wallet:

Encrypt a column in an existing table:

Create a new table with an encrypted column:

Default: AES with 192 bits:

Example with other algorithms:

Triple DES (Data Encryption Standard) 3DES168

Equality searches possible when not salted

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating where PERSON_ID='235901';

Equality searches possible when not salted

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating where PERSON_ID='235901';

Equality searches possible when not salted

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating where Application remains

SQL> desc dba_encrypted_columns

Security policy might require periodic update

Password and master key are independent

Without changing the encryption algorithm:

Re-key the column key and change the algorithm:

Change the algorithm, without re-keying the column

SQL> create table test (c1 long encrypt)

Materialized View logs

Transparent Data Encryption does not work with the

Section 3.4: Render sensitive cardholder information

Section 3.5 (incl. 3.5.1. and 3.5.2.): Protect encryption

Section 4: Encrypt transmission of cardholder and

Do not misuse TDE as an authorization

NEVER LOOSE YOUR WALLET!!

Do NOT encrypt tables belonging to SAP core

No support for TDE in SAP dictionary at the moment

Instead of using TDE encryption you could also use

Integrated tape backup:

Encryption of data to tape

Oracle Recovery Manager (RMAN)

Advanced Encryption Standard (AES)

Media Management Layer

DIGITAL DATA STORAGE DIGITAL DATA STORAGE DIGITAL DATA STORAGE

Transparent Data Encryption

Oracle Database Security Checklist

Oracle Database 10g

TDE Frequently Asked Questions (FAQ)

Deutsche ORACLE-Anwendergruppe e.V.