Andreas Becker, DOAG Special Interest Day ORACLE und SAP… · Andreas Becker, DOAG Special...

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

<Insert Picture Here>

Transparent Data EncryptionDOAG SID SAP & Oracle – June 2007

Andreas BeckerSenior Member Technical StaffOracle Server Technologies - SAP Development



Agenda

• Transparent Data Encrytion• Technical Overview• Demo• Technical Restrictions/Recommendations• Configuration and Support in SAP Environments

• Alternatives• RMAN Backup Encryption• Oracle Secure Backup



Encryption

• Network Encryption• Encryption of data in motion

• Transparent Data Encryption• Encryption of data at rest



“JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as

well as some of its own employees, that it cannot locate a computer tape containing

their account information and Social Security numbers.”

JP Morgan Client Data LossThe Wall Street Journal,

May 2007


The Need for Encryption

• Worldwide privacy, security laws and regulations• Sarbanes-Oxley• PCI (Payment Card Industrie)• California SB 1386 (Nationwide soon?)• Country-specific laws

Customer CreditCard Numbers

Disks replacedfor maintenance

Laptops stolenBackups lost

Data worthless if encrypted


Database Encryption Release < 10.2

• Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL API for encrypting data in the Enterprise Edition• DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g• DBMS_CRYPTO in Oracle Database 10g

• Application calls PL/SQL API to perform encryption• Typically requires database triggers, database Views• No automated key management• Note that most 3rd party solutions today create triggers and

views to make their encryption solution look transparent• Oracle encryption API’s are used by customers today to encrypt

credit card numbers


What our customers wanted

• “Privacy / regulatory compliance”(SB 1386, CISP/PCI)

• “Protection for data on backup tapes”• “Additional protection against operating system / data

file theft”• “Media theft / disk replacement”• “Let the database handle all aspects of encryption,

not the application”• “Make it easy and secure”


Transparent Data Encryption

• Integrated with the Oracle database for simplicity• Alter table encrypt column …

• Provides application transparency• No API calls, database triggers or views required

• Media protection of PII data• Social security numbers• Credit Card Numbers

• Performance• Works with existing indexes for

equality searches


TDE Key Features

• Encryption/Decryption inside of the database• Simple SQL Syntax:

• SQL> ALTER TABLE customers MODIFY (creditcardno ENCRYPT);

• Requires Advanced Security Option!• Only with Oracle Enterprise Edition• TDE Keys are managed by Oracle• Protects unauthorized access to database on file

system level/ OS level


TDE Key Features

• Simply and easy encryption of sensitive data• views or triggers are NOT needed• Protects confidential data without the

overhead of key management• Data on disk is encrypted, but decryption is

transparent for the application


Overview – the Big Picture

Data EncryptedOn Backup Files

DataWrittenTo Disk

AutomaticallyEncrypted

DataAutomatically

DecryptedThrough

SQL Interface

Oracle Advanced SecurityNetwork Encryption

Oracle Advanced SecurityStrong Authentication

Oracle Advanced SecurityTransparent Data Encryption


Separation of duties

DBA starts upDatabase

Security DBA opens walletcontaining master key

Wallet password is separate fromSystem or DBA password

No access to wallet


Master key and column keys

Column keys encryptedby master key

Master key storedin PKCS#12 wallet

Security DBA opens walletcontaining master key Column keys encrypt

data in columns


Transparent Data EncryptionConfiguration steps

5 steps to setup TDE:1. Identify tables and columns containing sensitive

data2. Does TDE support the datatype of the column?3. Is column part of a foreign key?

(should not be relevant in SAP environments)4. Setup and initialize Wallet and Master Key5. Encrypt existing data and new data in encrypted

table column


D E M O N S T R A T I O N

Transparent Data Encryption (TDE)


Prepare the Database

• Create a wallet and generate the master keyalter system set key identified by “e3car61”

• Open the wallet:alter system set wallet open identified by “e3car61”


Encrypting columns

• Encrypt a column in an existing table:alter table credit_rating modify (person_id encrypt);

• Create a new table with an encrypted column:create table orders (order_id number(12),customer_id number(12),credit_card varchar2(16) encrypt);


Which algorithms are used?

• Default: AES with 192 bits:alter table credit_rating modify (person_id encrypt)

• Example with other algorithms:

create table employee (first_name varchar2(64),last_name varchar2(64),empID NUMBER encrypt using ‘AES256’,salary NUMBER(6) encrypt using ‘AES256‘)


TDE – Available Algorithms

• Triple DES (Data Encryption Standard) 3DES168 • AES (Advanced Encryption Standard) AES128 • AES192 (default) • AES256


Performance?

• Equality searches possible when not salted

Alter table credit_rating modify(person_id encrypt no salt)

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating where PERSON_ID='235901';

Encryptperson_id


Performance?




Select score from credit_rating where PERSON_ID='235901';

Create index overencrypted column


Performance?




Select score from credit_rating wherePERSON_ID='235901';

Application remainsunchanged


Transparent Data EncryptionOverhead

Storage • 33-48 Bytes per row per encrypted column

Performance• ~5%• Very customer/system specific• Depends on

• # tables• Size of tables• How tables are accessed


Transparent Data EncryptionSALT vs. NO SALT

SALT• A random string is added to clear text before it is encrypted• Multiple occurences of same clear text appear different when

encrypted with salt• Increased security• Against pattern matching attack from hackers• But: encrypted columns which are part of an index must be

encrypted with NO SALT


Transparent Data EncryptionChange Wallet Password

• Wallet password is independent from• master key• Column keys• SYSTEM password• SYS password

• Wallet manager supports password policy• At least 8 characters• Must contain number or special characters


Transparent Data EncryptionExport of table data

Export of encrypted data is only supported with data pump:

• Using ‘exp’ utility: • EXP-00107: Feature (string) of column string in table

string.string is not supported. The table will not be exported.

• Using ‘expdp’ data pump without encryption password:• ORA-39173: Encrypted data has been stored unencrypted in

dump file set.

• Using ‘expdp’ data pump with encryption password: OK


TDE Administration

SQL> desc dba_encrypted_columnsName Null? Type------------------------ -------- -------------OWNER NOT NULL VARCHAR2(30)TABLE_NAME NOT NULL VARCHAR2(30)COLUMN_NAME NOT NULL VARCHAR2(30)ENCRYPTION_ALG VARCHAR2(29)SALT VARCHAR2(3)


Transparent Data EncryptionWhen you loose your wallet…

• Loosing your wallet is the most secure way to delete your data

• A wallet can not be recovered (even with the same wallet password)

• Wallet password and master key are not related• Recommendation: backup your wallet frequently

• After change of wallet password• After change of master key• After column rekey

• Perform change of master key (master rekey) offline


Re-key the master key

• Security policy might require periodic update• Command:alter system set key identified by “2naf1sh”

• Password and master key are independent

• Re-encrypts all column keys


Re-keying the column keys

• Without changing the encryption algorithm:ALTER TABLE employee REKEY;

• Re-key the column key and change the algorithm:ALTER TABLE employee REKEY USING 'AES256';

• Change the algorithm, without re-keying the column keys:ALTER TABLE employee ENCRYPT USING 'AES128';


TDE and Data Guard

• Production Database • Physical Standby

Data EncryptedOn Backup Files

Redo apply

redo logs containencrypted data


Supported data types

• varchar2• nvarchar2• number• date• binary_float (*)• binary_double (*)• timestamp• raw• char• nchar• interval day to second• interval year to month


TDE - Unsupported data types

• LONG/LONG RAW• LOB/BLOB

• SQL> create table test (c1 long encrypt)* ORA-28330: encryption is not allowed for this data type


TDE - Unsupported database features

• Materialized View logs• Streams• Sync and async CDC (Change Data Capture)• Direct path insert• LOBs• Transportable Tablespaces


TDE - restrictions

• Transparent Data Encryption does not work with the following database features• Index types other than B-tree• Range scan search through an index• Large object datatypes such as BLOB and CLOB• Original import/export utilities• Other database tools and utilities that directly access data

files


How Oracle Advanced Security helps with CISP/PCI

• Section 3.4: Render sensitive cardholder information unreadable anywhere it is stored

• Transparent Data Encryption, part of the Oracle Advanced Security Option, encrypts any column with 3DES 128 bit or AES256, as required.

• Both TDE and Network Encryption, part of the Oracle Advanced Security Option, provide SHA-1 for hashing



• Section 3.5 (incl. 3.5.1. and 3.5.2.): Protect encryption keys against both disclosure and misuse, restrict access and store securely.

• Transparent Data Encryption stores the master key in the Oracle Wallet, and the encrypted column keys in the database

• Intruder would need access to OS file to get to wallet and database access to get to encrypted column keys.



• Section 4: Encrypt transmission of cardholder and sensitive information across public networks:

• Network Encryption, part of ASO, provides encryption of all traffic between Oracle Database and Oracle Application Server


Transparent Data EncryptionRecommendations

• Do not misuse TDE as an authorization methode

• Do not encrypt all your data – only data which needs to be protected


Transparent Data EncryptionRecommendations (cont’d)

• NEVER LOOSE YOUR WALLET!!• WITHOUT WALLET DATA LOSS

• BACKUP YOUR WALLET!!• WITHOUT CURRENT WALLET DATA LOSS

• NEVER FORGET YOUR WALLET PASSWORD!• WITHOUT WALLET PASSWORD DATA LOSS



• Rekey Operations• Rekey master key: how often?

• Depends on regulations (SB1386, Sarbanes-Oxley)• Regularly, but not too often (~once a year)• Maximum number of TDE master keys is limited due to

limited wallet size • 10.2.0.2: max wallet size=64k (~240 master keys)• 10.2.0.4: max wallet size=4M (>15M )

• Rekey column Key: • depending on your regulations• Full table update



Wallet Management• One Encryption Wallet per Database• Do not use autologin wallet• No support for multiple encryption_wallet_location

• Only one wallet location in sqlnet.ora


TDE in an SAP environmentTDE Candidates

• Do NOT encrypt tables belonging to SAP core application

SAP system should be startable without wallet• Do not encrypt tables used by BR*Tools• Do not encrypt all tables (~100 should be enough)• When column is used in an index non-salted


TDE Support in SAP BR*TOOLS

• ENCRYPTION_WALLET_LOCATION parameter must be configured in sqlnet.ora to override Oracle default path

• Location of encryption wallet in SAP environment:• $ORACLE_HOME/dbs (Unix)• %ORACLE_HOME%\database (Windows)

• BR*Tools support backup and restore of Encryption wallet ewallet.p12• Prerequisite: encryption wallet exists in

$ORACLE_HOME/dbs resp. %ORACLE_HOME%\database• Auto-Login encryption wallet (cwallet.sso, if exist) will

not get backed up by BR*Tools


TDE Support in SAP Dictionary

• No support for TDE in SAP dictionary at the moment


Alternate Solutions

Instead of using TDE encryption you could also use one of the following options:

• RMAN Backup Encryption (ASO required)currently under evaluation

• RMAN now creates encrypted backups that cannot be restored by unauthorized people

• Oracle Secure Backup (OSB)• OSB provides an optimized, highly efficient tape backup

solution for the Oracle Database. OSB can store data on tape in encrypted form, providing protection against theft of backup tapes.


Oracle Secure Backup

• Integrated tape backup:• Oracle Database• Operating system files

• Encryption of data to tape• Data at-rest protection

• Tape data protection• at the lowest cost

Oracle Secure BackupCentralized Tape Backup Management

File System DataFile System Data

UNIX Linux

Windows NAS

Oracle DatabasesOracle Databases

RMAN


Why Oracle Secure Backup?

• Encryption of data to tape• Protects against misuse of business data

• Oracle Database manages encryption keys• Certificate based authentication

• Outside parties cannot impersonate host

• Reduces cost of secure tape backups• Only $3,000 per tape device

• Runs on Linux, Windows & UNIX• Supports over 200 tape devices


• Oracle Recovery Manager (RMAN)• Oracle Default Tool for Database

Backups

• To Disk or Tape (MML)• Encryption of Backup

• Advanced Encryption Standard (AES) • Authentication: via userdefined

password or via Oracle Wallet• ASO required

Database Area

Media Management Layer

RMAN

DIGITAL DATA STORAGE DIGITAL DATA STORAGEDIGITAL DATA STORAGE

Flash Recovery

Area

RMAN Backup Encryption


TDE – OSB – RMAN Backup Encryption

• TDE• Encryption of sensible data in database files on OS/file system level• Encryption of sensible data in backups (disk and tape)• Encryption of sensible data in archive logs (LogMiner)• ASO license required

• Oracle Secure Backup (OSB)• Encryption of backups to tape only (not backup to disk)• No encryption of sensible data in database files• No encryption of sensible data in archive logs• Requires separate OSB license

• RMAN Backup Encryption (ASO required)• Encryption of backups to disk and to tape• No encryption of sensible data in database files• No encryption of sensible data in archive logs• ASO license required


For More Information

http://search.oracle.com

orhttp://www.oracle.com/security

Transparent Data Encryption

Advanced Security

Oracle Database Security Checklist

http://www.oracle.com/security


SAP Notes

http://service.sap.com/notes• 974876: Transparent Data Encryption• 973450: Network Encryption

http://service.sap.com/notes


Oracle Metalink Notes

https://metalink.oracle.com/• Note 317311.1: 10g R2 New Feature TDE:

Transparent Data Encryption• Note 317317.1: How to Export/Import with Data

Encrypted with Transparent Data Encryption (TDE)

https://metalink.oracle.com/


Oracle Technology Network

• Oracle Database 10ghttp://www.oracle.com/technology/products/database/oracle10g/index.html

• Oracle Database Securityhttp://www.oracle.com/technology/deploy/security/database-security/index.html

• Oracle Advanced Securityhttp://www.oracle.com/technology/deploy/security/database-security/advanced-security/index.html

• Oracle Advanced Security – Transparent Data Encryption TDEhttp://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

http://www.oracle.com/technology/products/database/oracle10g/�index.html

http://www.oracle.com/technology/products/database/oracle10g/�index.html

http://www.oracle.com/technology/deploy/security/database-security/index.html

http://www.oracle.com/technology/deploy/security/database-security/index.html

http://www.oracle.com/technology/deploy/security/database-security/advanced-security/index.html

http://www.oracle.com/technology/deploy/security/database-security/advanced-security/index.html

http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html


Oracle Technology Network

• TDE – Frequently Asked Questions (FAQ)http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html

• ASO Data Sheethttp://www.oracle.com/technology/deploy/security/database-security/pdf/ds_security_db_advancedsecurity_10gR2_062006.pdf

• Oracle Secure Backuphttp://www.oracle.com/database/secure-backup.html

• Oracle Security Checklisthttp://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html

http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html

http://www.oracle.com/technology/deploy/security/database-security/pdf/ds_security_db_advancedsecurity_10gR2_062006.pdf



http://www.oracle.com/database/secure-backup.html

http://www.oracle.com/technology/deploy/security/pdf/�twp_security_checklist_db_database.pdf

http://www.oracle.com/technology/deploy/security/pdf/�twp_security_checklist_db_database.pdf


DOAG e.V. Server

Deutsche ORACLE-Anwendergruppe e.V. Special Interest Days: Oracle + SAPhttp://www.doag.org/public/sig/sap/

http://www.doag.org/public/sig/sap/

TDEPilot Customers

Wanted



Date post:	17-May-2018
Category:	Documents
Upload:	vuongdung
View:	221 times
Download:	0 times

Andreas Becker, DOAG Special Interest Day ORACLE und SAP… · Andreas Becker, DOAG Special...

Documents