1
Introduction to Oracle Advanced Security

All of these strategies compromise pass word secrecy and service availability. Moreover, administration of multiple user accounts and passwords is complex, time-consuming, a nd expensive.

Solving Security Challenges with Oracle Advanced Security

To so lve enterprise computing security problems, Oracle Advanced Security provides industry standards-based data privacy, integrity, authe ntication, single sign-on, and access authorization in a variety of ways. For example, you can configure either Oracle Net native enc ryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced Security also provides the choice of several strong authentic ation methods, including Kerberos, smart cards, and digital certificates.

Oracle Advanced S ecurity provides the following security features:

• Data Encryption
• Strong A uthentication
• Enterprise User Management

D ata Encryption

Sensitive information that travels over enterprise ne tworks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that ca n be deciphered with a decryption key.

Figure 1-1 s hows how encryption works to ensure the security of a transaction. For example, if a manager approves a bonus, this data should be en crypted when sent over the network to avoid eavesdropping. If all communication between the client, the database, and the application server is encrypted, then when the manager sends the bonus amount to the database, it is protected.

Figure 1-1 Encryption

Text description of the illustration as oag037.gif

This section discusses the following topics:

• Supported Encryption Algorithms
• Data Integrity
• Federal Information Processing Standard

Supported Encryption Algorithms

Oracle Advanced Security provides the following encryption algorithms to protect the privacy of network data transmissions:

• RC4 Encryption
• DES Encryption
• Triple-DES Encryption
• Advanced Encryption Standard

Selecting the network encryption algorithm is a user configuration option, providing varying levels of security and performance for different types of data transfers.

Prior versions of Oracle Advanced Security provided thre e editions: Domestic, Upgrade, and Export--each with different key lengths. 10g Release 1 (10.1) contains a c omplete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users d eploying prior versions of the product can obtain the Domestic edition for a specific product release.

RC4 Encryption

The RC4 encryption m odule uses the RSA Security, Inc., RC4 encryption algorithm. Using a secret, randomly-generated key unique to each session, all netwo rk traffic is fully safeguarded--including all data values, SQL statements, and stored procedure calls and results. The client, serve r, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implement ation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key len gths of 40-bits, 56-bits, 128-bits, and 256-bits.

DES Encryption

Oracle Advan ced Security implements the U.S. Data Encryption Standard algorithm (DES) with a standard, optimized 56-bit key encryption algorithm, and also provides DES40, a 40-bit version, for backward compatibility.

Triple-DES Encryption

Oracle Advanced Security also supports Triple-DES encryption (3DES), which encrypts message data with three passes o f the DES algorithm. 3DES provides a high degree of message security, but with a performance penalty. The magnitude of penalty depend s on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block as compar ed with the standard DES algorithm.

3DES is available in two-key and three-key versions, wi th effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block Chaining (CBC) mode.

Advanced Encryption Standard

Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) P ublication 197, Advanced Encryption Standard (AES) is a new cryptographic algorithm standard developed to replace DES. AES is a symme tric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are refer red to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode.

Data Integrity

To ensure the integrity of data packets d uring transmission, Oracle Advanced Security can generate a cryptographically secure message digest--using MD5 or SHA-1 hashing algor ithms--and include it with each message sent across a network.

Data integrity algorithms ad d little overhead, and protect against the following attacks:

• Data modification
• Deleted packets
• Replay attacks

  Note: SHA-1 is slightly slow er than MD5, but produces a larger message digest, making it more secure against brute-force collision and inversion attacks.

  See Also: Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients", for information about MD5 and SHA-1.

Federal Information Processing Standard

Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This provides independent c onfirmation that Oracle Advanced Security conforms to federal government standards. FIPS configuration settings are described by Appendix D, "Oracle Advanced Security FIPS 140-1 Settings".

Strong Authentication

Authentication is used to prove the identity of the user. Authenticating user identity is impe rative in distributed environments, without which there can be little confidence in network security. Passwords are the most common m eans of authentication. Oracle Advanced Security enables strong authentication with Oracle authentication adapters that support vario us third-party authentication services, including SSL with digital certificates.

Figure 1-2 shows user authentication with an Oracle database configured to use a third-party authentica tion server. Having a central facility to authenticate all members of the network (clients to servers, servers to servers, users to b oth clients and servers) is one effective way to address the threat of network nodes falsifying their identities.

Figure 1-2 Strong Authentication with Oracle Authentication Ada pters

Text description of the illustration asoag035.gif

This section cont ains the following topics:

• Cent ralized Authentication and Single Sign-On
• S upported Authentication Methods

Centralized Authentication and Single Sign-On

Centralized authentication also provides the benefit of single sign-on (S SO) for users. Single sign-on enables users to access multiple accounts and applications with a single password. A user only needs to log on once and can then automatically connect to any other service without having to give a username and password agai n. Single sign-on eliminates the need for the user to remember and administer multiple passwords, reducing the time spent logging int o multiple services.

How Centralized Network Authentication Works

Figure 1-3 shows how a centralized network authentication service typically operates:

Figure 1-3 How a Network Authentication Service Authenticates a User

Text description of the illustration asoag012.gif

1. A user (client) requests authentication services and provides identifying information, such as a token o r password.
2. The authentication server validates the user's identity and passes a ticket or credentials back to the client, which may include an expiration time.
3. The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database.
4. The server sends the credentials back to the authentication server for authentication.
5. If the authentication server accepts the cr edentials, then it notifies the Oracle Server, and the user is authenticated.
6. If the authentication server does not accept the credentials, then authentication fails, and the service request is denied.

Suppo rted Authentication Methods

Oracle Advanced Security supports the fo llowing industry-standard authentication methods:

• Kerberos
• RADIUS (Remote Authentication Dial-In User Service)
• DCE (D istributed Computing Environment)
• Secure So ckets Layer (with digital certificates)
• Ent rust/PKI

Kerberos

Oracle Advanced Sec urity support for Kerberos provides the benefits of single sign-on and centralized authentication of Oracle users. Kerberos is a trus ted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Ke rberos authentication server. See Chapter 6, "Configuring Kerberos Authentication" for informa tion about configuring and using this adapter.

RADIUS (Remote Authentication Dial-In User Service)

RADIUS is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanc ed Security uses this standard in a client/server network environment to enable use of any authentication method that supports the RA DIUS protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. See Chapter 5, "Configuring RADIUS Authentication" for information about configuring and using this adapter.

• Smart Cards

  A RADIUS-compliant smart card is a credit card-like hardware device. It has memory and a processor and is read by a smart card reader located at the client workstation.

• Token Cards

  Token cards (SecurID or RADIUS-compliant) can improve ea se of use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentica tion service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) that the user enters into a token card. The token card provides a response (another number cryptographically derived from the challenge) that the user enters and sends to the server.

  You can use SecurID tokens th rough the RADIUS adapter.

DCE (Distributed Computing Environment)

D CE is a set of integrated network services that works across multiple systems to provide a distributed environment. Oracle DCE Integr ation consists of the following two components:

• DCE Communicat ion/Security
• DCE Cell Directory services Native Naming

Oracle DCE Integration provides applications the flexibility to have different levels of integration with DC E services. Depending on the need, applications can choose to integrate very tightly with the DCE services or choose to plug in the o ther security authentication services provided by Oracle Advanced Security. See Chapter 10, "Conf iguring Oracle DCE Integration" for information about configuring and using this adapter.

Secure Sockets Layer

Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. S SL provides authentication, data encryption, and data integrity.

The SSL protocol is the foundation of a public key infras tructure (PKI). For authentication, SSL uses digital certificates that comply with the X.509v3 standard, and a public and private key pair.

Oracle Ad vanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide authenti cation for the server only, the client only, or both client and server. You can also configure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database usernames and passwords, RADIUS, and Kerberos).

To support your PKI implementation, Oracle Advanced Security includes the following features in addition to SSL:

• Oracle wallets, where you can store PKI credentials
• Oracle Wallet Manager, which you can use to manage your Oracle wallets
• Certificate validation with certificate revocation lists (CRLs)
• Hardware security module support

  See Also: Chapter 7, "Configuring Secure Sockets Layer Authentication" for conceptual, con figuration, and usage information about SSL, certificate validation, and hardware security modules. < a name="1008380">Chapter 8, "Using Oracle Wallet Manager" for information about using thi s tool to manage Oracle wallets. Chapter 9, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security" for information about configuring SSL in com bination with other authentication methods.

Oracle Advanced Security supports the public key infrastructure provided by the Entrust/PKI software from Entrust Technologies, Inc. Entrust-enabled Oracle Advanced Security lets Entrust users incorporate Entrust single sign-on into their Oracle a pplications, and it lets Oracle users incorporate Entrust-based single sign-on into Oracle applications. See Appendix F, "Entrust-Enabled SSL Authentication" for more information about this feature.

Enterprise User Management

Enterprise user management is provided by the Enterprise User Security feature of Oracle Advanced Security. Enterprise User Security enables storing database users and their corresponding administrative and secur ity information in a centralized directory server.

Figure&nb sp;1-4 shows how a directory server can be used to provide centralized storage and management of user account, user role, and aut hentication information.