Release 8.1.5
A67766-01
 Library |
 Product |
 Contents |
 Index |
| Oracle Advanced Security Administrator's Guide Release 8.1.5 A67766-01 |
|
This chapter covers the following topics:
This section discusses and compares the various encryption algorithms used in both the domestic and the export version of the Oracle Advanced Security option.
Due to export controls placed on encryption technology, the Oracle Advanced Security option is available in a Domestic Version and an Export Version.
In certain circumstances, a special license may be obtained to export 56-bit encryption or the entire domestic version. Licenses are generally available to wholly owned subsidiaries of US corporations. Special licenses can be obtained to allow banks to have the export version updated to include DES. Export and import regulations vary from country to country and change from time to time, so it is important to check on current restrictions in your area.
This section discusses and compares the following encryption algorithms and their uses.
The Oracle Advanced Security option for Domestic Use provides the DES (Data Encryption Standard) algorithm for customers with specialized encryption needs. DES has been a U.S. government standard for many years and is sometimes mandated in the financial services industry. In most specialized banking systems today, DES is the algorithm used to protect large international monetary transactions. The Oracle Advanced Security option allows this high-security system to be used to protect any kind of application, without any custom programming.
In a secure cryptosystem, the plaintext (a message that has not been encrypted) can not be recovered from the ciphertext (the encrypted message) except by using the secret decryption key. In a "symmetric cryptosystem", a single key serves as both the encryption and the decryption key. DES is a secret-key, symmetric cryptosystem: both the sender and the receiver must know the same secret key, which is used both to encrypt and decrypt the message. DES is the most well-known and widely-used cryptosystem in the world.
The DES40 algorithm, available internationally, is a variant of DES in which the secret key is preprocessed to provide 40 effective key bits. It is designed for use by customers outside the USA and Canada who want to use a DES-based encryption algorithm. This feature gives commercial customers a choice in the algorithm they use, regardless of their geographic location.
The RC4 algorithm, developed by RSA Data Security Inc., has quickly become the de-facto international standard for high-speed data encryption. Despite ongoing attempts by cryptographic researchers to "crack" the RC4 algorithm, the only feasible method of breaking its encryption known today remains brute-force, systematic guessing, which is generally infeasible. RC4 is a stream cipher that operates at several times the speed of DES, making it possible to encrypt even large bulk data transfers with minimal performance consequences.
RC4 is a variable key-length stream cipher. The Oracle Advanced Security option release 8.1.5 for domestic use offers an implementation of RC4 with 56 bit and 128 bit key lengths. This provides strong encryption with no sacrifice in performance when compared to other key lengths of the same algorithm.
Oracle has obtained special license to export the RC4 data encryption algorithm with a 40-bit key size to virtually all destinations where other Oracle products are available. This makes it possible for international corporations to safeguard their entire operations with fast, strong cryptography.
The SSL feature of the Oracle Advanced Security option allows the use of triple-DES. This form of encryption involves encrypting input data three times, and this can occur in a number of ways. A potential drawback of triple-DES, depending on the speed of your communications channel, is that it requires more computing power than normal DES.
Encryption of network data provides data privacy, so no unauthorized party is able to view the plaintext data as it passes over the network. The Oracle Advanced Security option also provides protection against two other forms of attack: data modification attack and replay attack.
In a data modification attack, an unauthorized party on the network intercepts data in transit and changes portions of that data before retransmitting it. An example of this would be to change the dollar amount of a banking transaction.
In a replay attack, an entire set of valid data is repeatedly interjected onto the network. An example would be to repeat a valid bank account transfer transaction.
The Oracle Advanced Security option uses a keyed, sequenced implementation of the MD5 message digest algorithm to protect against both of these forms of active attack. This protection is activated independently from the encryption features provided.
The secrecy of encrypted data depends on the existence of a secret key shared between the communicating parties. Providing and maintaining such secret keys is known as "key management." In a multi-user environment, secure key distribution may be difficult; public-key cryptography was invented to solve this problem. The Oracle Advanced Security option uses the public-key based Diffie-Hellman key negotiation algorithm to perform secure key distribution for both encryption and crypto-checksumming.
When encryption is used to protect the security of encrypted data, keys should be changed frequently to minimize the effects of a compromised key. For this reason, the Oracle Advanced Security option key management facility changes the session key with every session.
The Oracle Advanced Security option includes the Diffie-Hellman key negotiation algorithm to choose keys both for encryption and for checksumming.
A key is a secret shared by both sides of the connection and by no one else. Without the key, it is extremely difficult to decrypt an encrypted message or to tamper undetectably with a crypto-checksummed message.
The purpose of the Authentication Key Fold-in encryption enhancement is to defeat a possible "person-in-the-middle attack" on the Diffie-Hellman key negotiation. It strengthens the session key significantly by combining a shared secret (which is known only to both the client and the server), with the original session key negotiated by Diffie-Hellman.
The client and the server begin communicating using the session key generated by Diffie-Hellman. When the client authenticates itself to the server, there is a shared secret that is only known to both sides. The Oracle Advanced Security option then combines the shared secret and Diffie-Hellman session key to generate a stronger session key that would defeat the person-in-the-middle who has no way of knowing the shared secret.
The authentication key fold-in encryption enhancement feature is included in the Oracle Advanced Security option and requires no configuration by the system or network administrator.
These configuration instructions assume that your Net8 network software has already been installed and is running.
As a network administrator, you set the encryption and checksumming configuration parameters.
The profile (sqlnet.ora) on clients and servers using encryption and checksumming must contain some or all of the parameters listed below.
In any network connection, it is possible that both ends (client and server) may support more than one encryption algorithm and more than one cryptographic checksumming algorithm. When each connection is made, the server decides which algorithm to use, if any, based on the algorithms specified in the sqlnet.ora files.
When the server is trying to find a match between the algorithms it has made available and the algorithms the client has made available, it picks the first algorithm in its own list that also appears in the client's list. If one side of the connection does not specify a list of algorithms, all the algorithms that are installed on that side are acceptable.
Encryption and checksumming parameters are defined by modifying a sqlnet.ora file for the clients and servers on your network.
To negotiate whether to turn on encryption or checksumming, you can specify four possible values for four of the Oracle Advanced Security option configuration parameters, each of which is described below:
The default value for these four parameters is ACCEPTED.
Turn on the security service if the other side wants it.
My side of the connection does not desire the security service, but it will be allowed if the other side asks with a setting of REQUIRED or REQUESTED. If the other side is set to REQUIRED or REQUESTED, and an algorithm match is found, the connection will continue without error and with the security service turned on. If the other side is set to REQUIRED and no algorithm match is found, the connection will terminate with error message ORA-12650.
If the other side is set to REQUESTED and no algorithm match is found, or if the other side is set to ACCEPTED or REJECTED, the connection will continue without error and without the security service enabled.
Do not turn on the security service even if the other side wants it.
My side of the connection specifies that the security service is not allowed. If the other side specifies REQUIRED, the connection will terminate with error message ORA-12650. If the other side is set to REQUESTED, ACCEPTED, or REJECTED, the connection will continue without error and without the security service enabled.
Turn on the security service if the other side allows it.
My side of the connection specifies that the security service is desired, but not required. The security service will be active if the other side specifies ACCEPTED, REQUESTED, or REQUIRED. There must be a matching algorithm available on the other side, otherwise the service will not be activated. If the other side specifies REQUIRED and there is no matching algorithm, the connection fails.
Turn on the security service or do not make the connection.
My side of the connection specifies that the security service must be activated. The connection will fail if the other side specifies REJECTED or if there is no compatible algorithm on the other side.
The following table shows whether or not the security service will be turned on based on a combination of client and server configuration parameters. If either the server or client has specified REQUIRED, lack of a common algorithm will cause the connection to fail. Otherwise, if the service would be on, lack of a common service algorithm will result in the service being turned off.
|
More Information:
For a description of each parameter and a sample configuration file using encryption and checksumming, see Appendix A, "Encryption and Checksumming Parameters" For more detailed configuration information, see the Net8 Assistant HELP system. |
You can enter or change encryption and checksumming parameter settings by using any text editor to modify the sqlnet.ora file or by using the Net8 Assistant.
This graphical interface tool makes it easy to set parameters in the sqlnet.ora file and other Oracle8i configuration files.
In the Net8 Assistant's left pane, click the Profile folder. Then go to the drop down list box at the top of the right pane, and select Advanced Security Option. The tabbed pages for the Oracle Advanced Security option appear.
Go to the menu bar and click File > Save Network Configuration.
| Use the Net8 Assistant... | ...or modify SQLNET.ORA |
|---|---|
|
Refer to Figure 2-1.
Note: The encryption seed for the client should not be the same as that for the server. |
On the Server, set the following parameters:
Note: The encryption seed for the server should not be the same as that for the client. On the Client, set the following parameters:
Note: The encryption seed for the client should not be the same as that for the server. For valid encryption algorithms: See "Encryption and Checksumming Parameters". |
| Use the Net8 Assistant... | ...or modify SQLNET.ORA |
|---|---|
|
Refer to Figure 2-2.
|
On the Server, set the following parameters:
On the Client, set the following parameter:
Note: Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm. |
