<Insert Picture Here>
Transparent Data EncryptionDOAG SID SAP & Oracle – June 2007
Andreas BeckerSenior Member Technical StaffOracle Server Technologies - SAP Development
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
<Insert Picture Here>
Agenda
• Transparent Data Encrytion• Technical Overview• Demo• Technical Restrictions/Recommendations• Configuration and Support in SAP Environments
• Alternatives• RMAN Backup Encryption• Oracle Secure Backup
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
<Insert Picture Here>
Encryption
• Network Encryption• Encryption of data in motion
• Transparent Data Encryption• Encryption of data at rest
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
<Insert Picture Here>
“JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as
well as some of its own employees, that it cannot locate a computer tape containing
their account information and Social Security numbers.”
JP Morgan Client Data LossThe Wall Street Journal,
May 2007
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
The Need for Encryption
• Worldwide privacy, security laws and regulations• Sarbanes-Oxley• PCI (Payment Card Industrie)• California SB 1386 (Nationwide soon?)• Country-specific laws
Customer CreditCard Numbers
Disks replacedfor maintenance
Laptops stolenBackups lost
Data worthless if encrypted
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Database Encryption Release < 10.2
• Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL API for encrypting data in the Enterprise Edition• DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g• DBMS_CRYPTO in Oracle Database 10g
• Application calls PL/SQL API to perform encryption• Typically requires database triggers, database Views• No automated key management• Note that most 3rd party solutions today create triggers and
views to make their encryption solution look transparent• Oracle encryption API’s are used by customers today to encrypt
credit card numbers
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
What our customers wanted
• “Privacy / regulatory compliance”(SB 1386, CISP/PCI)
• “Protection for data on backup tapes”• “Additional protection against operating system / data
file theft”• “Media theft / disk replacement”• “Let the database handle all aspects of encryption,
not the application”• “Make it easy and secure”
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
• Integrated with the Oracle database for simplicity• Alter table encrypt column …
• Provides application transparency• No API calls, database triggers or views required
• Media protection of PII data• Social security numbers• Credit Card Numbers
• Performance• Works with existing indexes for
equality searches
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Key Features
• Encryption/Decryption inside of the database• Simple SQL Syntax:
• SQL> ALTER TABLE customers MODIFY (creditcardno ENCRYPT);
• Requires Advanced Security Option!• Only with Oracle Enterprise Edition• TDE Keys are managed by Oracle• Protects unauthorized access to database on file
system level/ OS level
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Key Features
• Simply and easy encryption of sensitive data• views or triggers are NOT needed• Protects confidential data without the
overhead of key management• Data on disk is encrypted, but decryption is
transparent for the application
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Overview – the Big Picture
Data EncryptedOn Backup Files
DataWrittenTo Disk
AutomaticallyEncrypted
DataAutomatically
DecryptedThrough
SQL Interface
Oracle Advanced SecurityNetwork Encryption
Oracle Advanced SecurityStrong Authentication
Oracle Advanced SecurityTransparent Data Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Separation of duties
DBA starts upDatabase
Security DBA opens walletcontaining master key
Wallet password is separate fromSystem or DBA password
No access to wallet
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Master key and column keys
Column keys encryptedby master key
Master key storedin PKCS#12 wallet
Security DBA opens walletcontaining master key Column keys encrypt
data in columns
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionConfiguration steps
5 steps to setup TDE:1. Identify tables and columns containing sensitive
data2. Does TDE support the datatype of the column?3. Is column part of a foreign key?
(should not be relevant in SAP environments)4. Setup and initialize Wallet and Master Key5. Encrypt existing data and new data in encrypted
table column
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
D E M O N S T R A T I O N
Transparent Data Encryption (TDE)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Prepare the Database
• Create a wallet and generate the master keyalter system set key identified by “e3car61”
• Open the wallet:alter system set wallet open identified by “e3car61”
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Encrypting columns
• Encrypt a column in an existing table:alter table credit_rating modify (person_id encrypt);
• Create a new table with an encrypted column:create table orders (order_id number(12),customer_id number(12),credit_card varchar2(16) encrypt);
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Which algorithms are used?
• Default: AES with 192 bits:alter table credit_rating modify (person_id encrypt)
• Example with other algorithms:
create table employee (first_name varchar2(64),last_name varchar2(64),empID NUMBER encrypt using ‘AES256’,salary NUMBER(6) encrypt using ‘AES256‘)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE – Available Algorithms
• Triple DES (Data Encryption Standard) 3DES168 • AES (Advanced Encryption Standard) AES128 • AES192 (default) • AES256
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Performance?
• Equality searches possible when not salted
Alter table credit_rating modify(person_id encrypt no salt)
Create index person_id_idx on credit_rating (PERSON_ID)
Select score from credit_rating where PERSON_ID='235901';
Encryptperson_id
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Performance?
• Equality searches possible when not salted
Alter table credit_rating modify(person_id encrypt no salt)
Create index person_id_idx on credit_rating (PERSON_ID)
Select score from credit_rating where PERSON_ID='235901';
Create index overencrypted column
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Performance?
• Equality searches possible when not salted
Alter table credit_rating modify(person_id encrypt no salt)
Create index person_id_idx on credit_rating (PERSON_ID)
Select score from credit_rating wherePERSON_ID='235901';
Application remainsunchanged
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionOverhead
Storage • 33-48 Bytes per row per encrypted column
Performance• ~5%• Very customer/system specific• Depends on
• # tables• Size of tables• How tables are accessed
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionSALT vs. NO SALT
SALT• A random string is added to clear text before it is encrypted• Multiple occurences of same clear text appear different when
encrypted with salt• Increased security• Against pattern matching attack from hackers• But: encrypted columns which are part of an index must be
encrypted with NO SALT
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionChange Wallet Password
• Wallet password is independent from• master key• Column keys• SYSTEM password• SYS password
• Wallet manager supports password policy• At least 8 characters• Must contain number or special characters
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionExport of table data
Export of encrypted data is only supported with data pump:
• Using ‘exp’ utility: • EXP-00107: Feature (string) of column string in table
string.string is not supported. The table will not be exported.
• Using ‘expdp’ data pump without encryption password:• ORA-39173: Encrypted data has been stored unencrypted in
dump file set.
• Using ‘expdp’ data pump with encryption password: OK
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Administration
SQL> desc dba_encrypted_columnsName Null? Type------------------------ -------- -------------OWNER NOT NULL VARCHAR2(30)TABLE_NAME NOT NULL VARCHAR2(30)COLUMN_NAME NOT NULL VARCHAR2(30)ENCRYPTION_ALG VARCHAR2(29)SALT VARCHAR2(3)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionWhen you loose your wallet…
• Loosing your wallet is the most secure way to delete your data
• A wallet can not be recovered (even with the same wallet password)
• Wallet password and master key are not related• Recommendation: backup your wallet frequently
• After change of wallet password• After change of master key• After column rekey
• Perform change of master key (master rekey) offline
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Re-key the master key
• Security policy might require periodic update• Command:alter system set key identified by “2naf1sh”
• Password and master key are independent
• Re-encrypts all column keys
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Re-keying the column keys
• Without changing the encryption algorithm:ALTER TABLE employee REKEY;
• Re-key the column key and change the algorithm:ALTER TABLE employee REKEY USING 'AES256';
• Change the algorithm, without re-keying the column keys:ALTER TABLE employee ENCRYPT USING 'AES128';
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE and Data Guard
• Production Database • Physical Standby
Data EncryptedOn Backup Files
Redo apply
redo logs containencrypted data
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Supported data types
• varchar2• nvarchar2• number• date• binary_float (*)• binary_double (*)• timestamp• raw• char• nchar• interval day to second• interval year to month
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE - Unsupported data types
• LONG/LONG RAW• LOB/BLOB
• SQL> create table test (c1 long encrypt)* ORA-28330: encryption is not allowed for this data type
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE - Unsupported database features
• Materialized View logs• Streams• Sync and async CDC (Change Data Capture)• Direct path insert• LOBs• Transportable Tablespaces
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE - restrictions
• Transparent Data Encryption does not work with the following database features• Index types other than B-tree• Range scan search through an index• Large object datatypes such as BLOB and CLOB• Original import/export utilities• Other database tools and utilities that directly access data
files
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
How Oracle Advanced Security helps with CISP/PCI
• Section 3.4: Render sensitive cardholder information unreadable anywhere it is stored
• Transparent Data Encryption, part of the Oracle Advanced Security Option, encrypts any column with 3DES 128 bit or AES256, as required.
• Both TDE and Network Encryption, part of the Oracle Advanced Security Option, provide SHA-1 for hashing
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
How Oracle Advanced Security helps with CISP/PCI
• Section 3.5 (incl. 3.5.1. and 3.5.2.): Protect encryption keys against both disclosure and misuse, restrict access and store securely.
• Transparent Data Encryption stores the master key in the Oracle Wallet, and the encrypted column keys in the database
• Intruder would need access to OS file to get to wallet and database access to get to encrypted column keys.
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
How Oracle Advanced Security helps with CISP/PCI
• Section 4: Encrypt transmission of cardholder and sensitive information across public networks:
• Network Encryption, part of ASO, provides encryption of all traffic between Oracle Database and Oracle Application Server
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionRecommendations
• Do not misuse TDE as an authorization methode
• Do not encrypt all your data – only data which needs to be protected
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionRecommendations (cont’d)
• NEVER LOOSE YOUR WALLET!!• WITHOUT WALLET DATA LOSS
• BACKUP YOUR WALLET!!• WITHOUT CURRENT WALLET DATA LOSS
• NEVER FORGET YOUR WALLET PASSWORD!• WITHOUT WALLET PASSWORD DATA LOSS
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionRecommendations (cont’d)
• Rekey Operations• Rekey master key: how often?
• Depends on regulations (SB1386, Sarbanes-Oxley)• Regularly, but not too often (~once a year)• Maximum number of TDE master keys is limited due to
limited wallet size • 10.2.0.2: max wallet size=64k (~240 master keys)• 10.2.0.4: max wallet size=4M (>15M )
• Rekey column Key: • depending on your regulations• Full table update
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data EncryptionRecommendations (cont’d)
Wallet Management• One Encryption Wallet per Database• Do not use autologin wallet• No support for multiple encryption_wallet_location
• Only one wallet location in sqlnet.ora
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE in an SAP environmentTDE Candidates
• Do NOT encrypt tables belonging to SAP core application
SAP system should be startable without wallet• Do not encrypt tables used by BR*Tools• Do not encrypt all tables (~100 should be enough)• When column is used in an index non-salted
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Support in SAP BR*TOOLS
• ENCRYPTION_WALLET_LOCATION parameter must be configured in sqlnet.ora to override Oracle default path
• Location of encryption wallet in SAP environment:• $ORACLE_HOME/dbs (Unix)• %ORACLE_HOME%\database (Windows)
• BR*Tools support backup and restore of Encryption wallet ewallet.p12• Prerequisite: encryption wallet exists in
$ORACLE_HOME/dbs resp. %ORACLE_HOME%\database• Auto-Login encryption wallet (cwallet.sso, if exist) will
not get backed up by BR*Tools
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Support in SAP Dictionary
• No support for TDE in SAP dictionary at the moment
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Alternate Solutions
Instead of using TDE encryption you could also use one of the following options:
• RMAN Backup Encryption (ASO required)currently under evaluation
• RMAN now creates encrypted backups that cannot be restored by unauthorized people
• Oracle Secure Backup (OSB)• OSB provides an optimized, highly efficient tape backup
solution for the Oracle Database. OSB can store data on tape in encrypted form, providing protection against theft of backup tapes.
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Secure Backup
• Integrated tape backup:• Oracle Database• Operating system files
• Encryption of data to tape• Data at-rest protection
• Tape data protection• at the lowest cost
Oracle Secure BackupCentralized Tape Backup Management
File System DataFile System Data
UNIX Linux
Windows NAS
Oracle DatabasesOracle Databases
RMAN
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Why Oracle Secure Backup?
• Encryption of data to tape• Protects against misuse of business data
• Oracle Database manages encryption keys• Certificate based authentication
• Outside parties cannot impersonate host
• Reduces cost of secure tape backups• Only $3,000 per tape device
• Runs on Linux, Windows & UNIX• Supports over 200 tape devices
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
• Oracle Recovery Manager (RMAN)• Oracle Default Tool for Database
Backups
• To Disk or Tape (MML)• Encryption of Backup
• Advanced Encryption Standard (AES) • Authentication: via userdefined
password or via Oracle Wallet• ASO required
Database Area
Media Management Layer
RMAN
DIGITAL DATA STORAGE DIGITAL DATA STORAGEDIGITAL DATA STORAGE
Flash Recovery
Area
RMAN Backup Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE – OSB – RMAN Backup Encryption
• TDE• Encryption of sensible data in database files on OS/file system level• Encryption of sensible data in backups (disk and tape)• Encryption of sensible data in archive logs (LogMiner)• ASO license required
• Oracle Secure Backup (OSB)• Encryption of backups to tape only (not backup to disk)• No encryption of sensible data in database files• No encryption of sensible data in archive logs• Requires separate OSB license
• RMAN Backup Encryption (ASO required)• Encryption of backups to disk and to tape• No encryption of sensible data in database files• No encryption of sensible data in archive logs• ASO license required
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
For More Information
http://search.oracle.com
orhttp://www.oracle.com/security
Transparent Data Encryption
Advanced Security
Oracle Database Security Checklist
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
SAP Notes
http://service.sap.com/notes• 974876: Transparent Data Encryption• 973450: Network Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Metalink Notes
https://metalink.oracle.com/• Note 317311.1: 10g R2 New Feature TDE:
Transparent Data Encryption• Note 317317.1: How to Export/Import with Data
Encrypted with Transparent Data Encryption (TDE)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Technology Network
• Oracle Database 10ghttp://www.oracle.com/technology/products/database/oracle10g/index.html
• Oracle Database Securityhttp://www.oracle.com/technology/deploy/security/database-security/index.html
• Oracle Advanced Securityhttp://www.oracle.com/technology/deploy/security/database-security/advanced-security/index.html
• Oracle Advanced Security – Transparent Data Encryption TDEhttp://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Technology Network
• TDE – Frequently Asked Questions (FAQ)http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html
• ASO Data Sheethttp://www.oracle.com/technology/deploy/security/database-security/pdf/ds_security_db_advancedsecurity_10gR2_062006.pdf
• Oracle Secure Backuphttp://www.oracle.com/database/secure-backup.html
• Oracle Security Checklisthttp://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
DOAG e.V. Server
Deutsche ORACLE-Anwendergruppe e.V. Special Interest Days: Oracle + SAPhttp://www.doag.org/public/sig/sap/