Skip Headers

Oracle® Databa se Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Bo ok List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go t o Master Index
Master Index		 Go to Feedback page
Feedback< /font>
Go to previous page
Previous
Next
 View PDF

3
Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

This chapter describes how to configure native Oracle Net Services data encryption and integrity for Oracl e Advanced Security. It contains the following topics:

Oracle Advanced Security Encryption

This section describes data encryption algorithms available in the current release of Oracle Advanced Security :

About Encryption

The purpose of a secure cryptosy stem is to convert plaintext data into unintelligible ciphertext based on a key, in such a way that it is very hard (computationally infeasibl e) to convert ciphertext back into its corresponding plaintext without knowledge of the correct key. In a symmetric cryptosystem, the same key is used both for encryption and decryption of the same data. Oracle Advanced Security provides the Advanced Encryption Stan dard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of Oracle Net Services traffic.

A dvanced Encryption Standard

In this release, the new Federal Inf ormation Processing Standard (FIPS) encryption algorithm, Advanced Encryption Standard (AES), is supported. AES can be used by all U. S. government organizations and businesses to protect sensitive data over a network. This encryption algorithm defines three standard key lengths, which are 128-bit, 192-bit, and 256-bit. All versions operate in outer Cipher Block Chaining (CBC) mode.

DES Algorithm Support

Oracle Advanced Security provides the Data Encryption Standard (DES) algorithm. DES has been a U.S. government standard for many years and i s sometimes mandated in the financial services industry. Because it has been a standard for so long, DES is deployed throughout the w orld for use in a wide variety of applications.

Triple-DES Support

Oracle Adv anced Security supports Triple-DES encryption (3DES), which encrypts message data with three passes of the DES algorithm. 3DES provid es a high degree of message security, but with a performance penalty. The magnitude of the performance penalty depends on the speed o f the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block when compared to the stan dard DES algorithm.

3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Ciph er Block Chaining (CBC) mode.

DES40 Algorithm

The DES40 algorith m, available in every release of Oracle Advanced Security, Oracle Advanced Networking Option, and Secure Network Services, is a varia nt of DES in which the secret key is preprocessed to provide 40 effective key bits. It was designed to provide DES-based encryption t o customers outside the U.S. and Canada at a time when the U.S. export laws were more restrictive. Now, in Oracle Advanced Security 1 0g Release 1 (10.1), DES40, DES, and 3DES are all available for export. DES40 is still supported to provide b ackward-compatibility for international customers.

RSA RC4 Algorithm for High Speed Encryption

The RC4 algorithm, developed by RSA Data Security Inc., has become the international standard for high-speed data e ncryption. RC4 is a variable key-length stream cipher that operates at several times the speed of DES, making it possible to encrypt large, bulk data transfers with minimal performance consequences.

Oracle Advanced Security 10g Release 1 (10.1) provides an RC4 implementation with 40-bit, 56-bit, 128-bit, and 256-bit key lengths. Th is provides backward-compatibility and strong encryption, with no material performance compromise.

See Also:
< !--TOC=h1-"1006239"-->

Oracle Advanced Security Data Integri ty

Encryption of network data provides data privacy so that unauthor ized parties are not able to view plaintext data as it passes over the network. Oracle Advanced Security also provides protection aga inst two forms of active attack:

Data Integrity Algorithms Supported

< /a>

Oracle Advanced Security lets you select a keyed, sequenced implementation of the Message Digest 5 (MD5) algorithm or the Secure Hash Algorithm (SHA-1) to protect against both of these forms of attack. Both of these hash algorithms create a checks um that changes if the data is altered in any way. This protection operates independently from the encryption process so you can enab le data integrity with or without enabling encryption.
See Also:

Diffie-Hellman Based Key Management

The secrecy of encrypted data depends upon the existence of a secret key shared between the communicating parties. A key is a secret exclusively shared by parties on both sides of a connection. Without the key, it is extremely difficult (computatio nally infeasible) to decrypt an encrypted message or to alter a cryptographic, checksummed message without detection. Providing and m aintaining such secret keys is referred to as key management.

Secure key distribution is di fficult in a multiuser environment. Oracle Advanced Security uses the well known Dif fie-Hellman key negotiation algorithm to perform secure key distribution for both encryption and data integrity.

When encryption is used to protect the security of encrypted data, keys must be changed frequently to minimize the effects of a compromised key. Accordingly, the Oracle Advanced Security key management function changes the session key with every session.

Authentication Key Fold-in

The purpose of Authenticat ion Key Fold-in is to defeat a possible third party attack (historically called the man-in-the-middle attack) on the Diffie-Hellman key negotiation. It strengthens the session key significantly by combining a shared secret, known only to the client and the server, with the original session key negotiated by Diffie-Hellman.

The clie nt and the server begin communicating using the session key generated by Diffie-Hellman. When the client authenticates to the server, they establish a shared secret that is only known to both parties. Oracle Advanced Security combines the shared secret and the Diffi e-Hellman session key to generate a stronger session key designed to defeat a man-in-the-middle attack.

< div align="center">
Note:

The authent ication key fold-in function is an imbedded feature of Oracle Advanced Security and requires no configuration by the system or networ k administrator.

How To Configure Data Encryption and Integrity

This section describes how to configure Oracle Advanced Security native Oracle Net Services encryption and integrity, and presumes the prior installation of Oracle Net Services.

The network or security admini strator sets up the encryption and integrity configuration parameters. The profile on client and server systems using data encryption and integrity (sqlnet.ora file) must contain some or all of the parameters listed in this section, under the following topics:

About Activating Encryption and Integrity

In any netwo rk connection, it is possible for both the client and server to each support more than one encryption algorithm and more than one int egrity algorithm. When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in th e sqlnet.ora files.

The server searches for a match between the algorithms available on bot h the client and the server, and picks the first algorithm in its own list that also appears in the client list. If one side of the c onnection does not specify an algorithm list, all the algorithms installed on that side are acceptable. The connection fails with err or message ORA-12650 if either side specifies an algorithm that is not installed.

Encryption and integrity parameters are defined by modifying a sqlnet.ora file on the clients and the servers on the network.

You can choose to configure any or all of the available Oracle Advanced Security encryption al gorithms (Table 3-2), and either or both of the available integrity algorithms (Table 3-3). Only one encryption algorithm and one integrity algorithm are used for each connect session.

Note:

Oracle Advanced Security selects the first encryption algorithm and the first integrity algorithm enabled on the cli ent and the server. Oracle Corporation recommends that you select algorithms and key lengths in the order in which you prefer negotia tion, choosing the strongest key length first.

See Also:

Appendix A, "Data Encryption and Integrity Parameters"

About Negotiating Encryption and Integrity

To negotiate whether to turn on encryption or integrity, you can specify four p ossible values for the Oracle Advanced Security encryption and integrity configuration parameters. The four values are listed in the order of increasing security. The value REJECTED provides the minimum amount of security between client and s erver communications, and the value REQUIRED provides the maximum amount of network security:

The default value for each of the parameters is ACCEPTED.

< !--TOC=h3-"1006402"-->

REJECTED

< a name="1006403">

Select this value if you do not elect to enable the security service, even if required by the ot her side.

In this scenario, this side of the connection specifies that the security service is not permitted. If the other side is set to REQUIRED, the connection terminates with error message O RA-12650. If the other side is set to REQUESTED, ACCEPTED, or REJECTED, the connection continues without error and without the security service enabled.

ACCEPTED

Select this value to enable the security service if required or requested by the other side.

In this scenario, this side of the conn ection does not require the security service, but it is enabled if the other side is set to REQUIRED or REQUESTED. If the other side is set to REQUIRED or REQUESTED, and an encryption or integrity algorithm match is found, the connection continues without error and with the security service enabled. If the other side is set to REQUIRED and no algorithm match is found, the connection terminates wi th error message ORA-12650.

If the other side is set to REQUESTED and no algor ithm match is found, or if the other side is set to ACCEPTED or REJECTED, the connection continues without error and without the secu rity service enabled.

REQUESTED

Select this value to enable the security serv ice if the other side permits it.

In this scenario, this side of the connection specifies t hat the security service is desired but not required. The security service is enabled if the other side specifies ACCEPTED, REQUESTED , or REQUIRED. There must be a matching algorithm available on the other side--otherwise the service is not enabled. If the other sid e specifies REQUIRED and there is no matching algorithm, the connection fails.

REQUIRED

Select this value to enable the security service or preclude the connection.

In this scenario, this side of the connection specifies that the security service must be ena bled. The connection fails if the other side specifies REJECTED or if there is no compatible algorithm o n the other side.

Table 3-1 shows whether the secur ity service is enabled, based on a combination of client and server configuration parameters. If either the server or client has spec ified REQUIRED, the lack of a common algorithm causes the connection to fail. Otherwise, if the service is en abled, lack of a common service algorithm results in the service being disabled.

Table 3-1 Encrypti on and Data Integrity Negotiations
< td class="Formal">

REQUESTED

< td class="Formal">

REQUIRED

Client Setting Server Setting Encryption and Data Negotiation

REJECTED

REJECTED

OFF

ACCEPTED

REJECTED

OFF

REQUESTED

REJECTED

OFF

REQUIRED

REJECTED

Connection fails

REJECTED

ACCEPTED

OFF

ACCEPTED

ACCEPTED

OFFFoot 1

A CCEPTED

ON

REQUIRED

ACCEPTED

ON

REJECTED

REQUESTED

OFF

ACCEPTED

 < p class="TB">REQUESTED

ON

REQUESTED

 < /a>

REQUESTED

ON

REQUIRED

REQUESTED

ON

REJECTED

REQUIRED

Connection fails

ACCEPTED

REQUIRED

ON

REQUESTED

REQUIRED

ON

REQUIRED

ON

< tr class="TableNote" align="left" valign="top">
1 This value d efaults to OFF. Cryptography and data integrity are not enabled until the user changes this parameter by using Oracle Net Manager or by modifying the sqlnet.ora file.

Setting the Encryption Seed (Optional)

Several seeds are used to generate a random number on the client and on the server. One of the seed s that can be used is a user-defined encryption seed. This is set with the sqlnet.crypto_seed parameter in the sql net.ora file. It can be 10 to 70 characters in length and changed at any time. The Diffie-Hellman key exchange uses the random numbers to generate unique session keys for every connect session.

Configuring Encryption and Integrity Parameters Using Oracle Net Manager

You can set up or change encryption and integrity parameter settings using Oracle Net Manager. This section describes the following topics:

Configuring Encryption on the Client and the Server< /h4>

Use Oracle Net Manager to configure encryption on the client and on the ser ver (See "Starting Oracle Net Manager"):

  1. Navigate to the Oracle Advanced Security profile (See "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Sec urity tabbed window appears (Figure 3-1):

Figure 3-1 Oracle Advanced Security Encryption Window

Text description of asoencry.gif follows.

Text description of the illustration asoencry.gif

  1. Choose the Encryption tab.
  2. Depending upon which system you are configuring, select CLIENT or SERVER from the pull-down list.
    3. From the Encryption Type list, select one of the following:
  3. (Optional) In the Encryption Seed field, ente r between 10 and 70 random characters; the encryption seed for the client should not be the same as that for the server.
  4. Select an encryption algorithm in the Available Methods list. Move it to the Selected Methods list by choosing the right arrow [>]. Repeat for each additional method you want to use.
  5. Choose File > Save Network Configuration. The sqlnet.ora file is upd ated.
  6. Repeat this procedure to configure encryption on the other system . The sqlnet.ora file on the two systems should contain the following entries:
    • On the server: 
      SQLNET.ENCRYPTION_SERVER = [acce
pted | rejected | requested | required]
SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_
encryption_alg
orithm])
    • On the c lient: 
      SQLNET.ENCRYPTION_CLIENT = [accepted | reje
cted | requested | required]
SQLNET.ENCRYPTION_TYPES_CLIEN
T = (valid_encryption_algorithm [,valid_
encryption_algorithm])

    Valid encryption algorithms and their associated legal values are summarized by Table 3-2:

    Table 3-2 Valid Encryption Algorithms
    Algorithm Name Legal Value

    RC4 256-bit key

    RC4_256

    RC4 128-bit key

    RC4_128

    RC4 56-bit key

    RC4_56

    RC4 40-bit key

    RC4_40

    AES 256-bit key

    AES256

    AES 192-bit key

    AES192

    AES 128-b it key

    AES128

    3-key 3DES

    3DES168

    2-key 3DES

    3DES112

    DES 56-bit key

    DES

    DES 40-bit key

    DES40

    Configuring Integrity on the Client and the Server

    Use Oracle Net Manager to configure data integrity on the client and on the server (See "Starting Oracle Net Manager"):

    1. Navigate to the Oracle Advance d Security profile. (See "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security tabbed window appears (Figure 3-2):

    Figure 3-2 Oracle Advanced Security Integrity Wind ow

    Text description of cfig0002.gif follows.

    Text description of the illustration cfig0002.gif

    1. Choose the Integrity tab.
    2. Depending upon which system you are configuring, choose the Server or Client< /strong> check box.
    3. From the Checksum Level list, select one of the following checksum level values:
      • REQUE STED
      • REQUIRED
      • ACCEPTED< /li>
      • REJECTED
    4. < /a>Select an integrity algorithm in the Available Methods list. Move it to the Sel ected Methods list by choosing the right arrow [>]. Repeat for each additional method you w ant to use.
    5. Choose File > Save Network Configuration. The sqlnet.ora file is updated.
    6. Repeat this procedure to configure integrity on the other system. The sqlnet.ora file on the two sys tems should contain the following entries:
      • On the server: 
        SQLNET.CRYPTO_CHECKSUM_SERVER = [accepted | rejected
 | requested | 
required]
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER =
 (valid_crypto_checksum_algorithm 
[,valid_crypto_checksum_algorithm])
        • On the client: 
        SQLNET.CRYPTO_CHECKSUM_CLIENT
= [accepted | rejected | requested | 
requ
ired]
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (valid_crypto_checksum_algorithm 
[,valid_c
rypto_checksum_algorithm])

      Valid integrity algorit hms and their associated legal values are displayed by Table 3-3:

      Table 3-3 Valid In tegrity Algorithms
      Algorithm Name Legal Values

      MD5

      MD5

      SHA-1

      SHA1

Go to previous page Previous
Go to next page
Next
 Oracle
Copyright © ; 1996, 2003 Oracle Corporation
All Rights Reserved.
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback