ZAHIR MOHIDEEN: encryption

Thursday, March 6, 2014

Encryption in Oracle database.

There are few ways to enforce security in oracle database . Virtual Private Database ( VPD) , Oracle Label Security (OLS) , Transparent Data Encyption , Data Redaction , Vault , and so on. These options can be used to enforce security in the database ; however for some privileged users , the data is visible in the clear text. To mitigate this issue , we can store the sensitive information encrypted. We can use dbms_crypto ( in 10g and later ) or dbms_obfuscation_toolkit ( in pre-10g releases ) .

Here is the simple example .
Let us create two functions . Ideally , I would prefer all the stored procedures and functions in a package . This is for illustrations only.

For this to work , the developer has to granted execute privilege on dbms_crypto from a user with SYSDBA privilege .

SQL> show user
USER is "ZAHIR"
SQL> CREATE OR REPLACE FUNCTION encrypt_constant
2 RETURN INTEGER
3 AS
4 BEGIN
5 RETURN DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5;
6 END ;
7 /

Function created.

SQL> CREATE OR REPLACE FUNCTION rtn_key ( p_key in varchar2)
2 return raw
3 as
4 begin
5 return utl_raw.cast_to_raw(rpad(p_key,32));
6 end ;
7 /

Function created.

The above functions are created to set the encryption algorithm and to return the raw from varchar.

SQL> drop table t_users purge
2 /

Table dropped.

SQL> CREATE TABLE t_users

2 (

3 usid INT ,

4 lname VARCHAR2(50) ,

5 clear_password VARCHAR2(20) ,

6 encrypted_password raw(32)

7 )

8 /

Table created.

Now , let us use the two functions to use it in our insert statement.

SQL> INSERT

2 INTO t_users

3 (

4 usid ,

5 lname ,

6 clear_password ,

7 encrypted_password

8 )

9 VALUES

10 (

11 1 ,

12 'Zahir Mohideen' ,

13 'password' ,

14 DBMS_CRYPTO.ENCRYPT ( src => UTL_I18N.STRING_TO_RAW ('password', 'AL32UTF8'), typ => encrypt_constant , KEY => rtn_key(TO_CHAR(1)) )

15 ) ;

1 row created.

SQL> set linesize 1000

SQL> select clear_password , encrypted_password from t_users;

CLEAR_PASSWORD ENCRYPTED_PASSWORD

-------------------- ----------------------------------------------------------------

password A798E993760F0AD22E3AAD0814A98A15

Now , as you can see , the password is stored in clear text format in "CLEAR_PASSWORD" column and the password is stored in encrypted format in "ENCRYPTED_PASSWORD" column . Ideally , any security minded professional would prefer to the sensitive information to be encrypted.

To decrypt , we can use dbms_crypto.decrypt procedure , as seen below.

SQL> SElect UTL_I18N.RAW_TO_CHAR (

2 DBMS_CRYPTO.DECRYPT ( src => encrypted_password , typ => encrypt_constant , key => rtn_key(TO_CHAR(usid)) )

3 ) pwd from t_users ;

PWD

-------------------------

password

SQL>

So , here is our simple example to encrypt and decrypt using one of Oracle supplied packages.

Comments welcome.

Wednesday, January 2, 2013

Encrypt Connections to SQL Server

By default , the connections to SQL Server are not encrypted.

C:\>sqlcmd -W
1> Select protocol_type , encrypt_option from sys.dm_exec_connections;
2> go

protocol_type encrypt_option
------------- --------------
TSQL FALSE
TSQL FALSE

We can use SSL to encrypt the connections using SQL Server Configuration Manager .
Here are the steps.

a) Expand "SQL Server Network Configuration " in the left panel
b) Right Click on the "Protocols for XXXX" ( where XXXX is the ServiceName ) and select Properties.
c) Select "Yes" in the "Force Encryption " in the "Flags" tab.
d) Select the certificate in the "Certificate" tab. ( Note : If you don't specify the certificate , SQL Server uses the self signed certificate) .
e) Click OK and restart the service(s)

To verify the changes , run the following SQL .

C:\>sqlcmd -W
1> Select protocol_type , encrypt_option from sys.dm_exec_connections;
2> go
protocol_type encrypt_option
------------- --------------
TSQL TRUE
TSQL TRUE
TSQL TRUE
TSQL TRUE

Comments Welcome.