Oracle Database 10g Release 2 Security

Oracle Database 10g Release 2
Security
An Oracle White Paper
June 2005
Oracle Database 10g Release 2 Security
Introduction ....................................................................................................... 4
Transparent Data Encryption.......................................................................... 4
Application Transparent: No Views Required ......................................... 5
Transparent Key Management and Separation of Duty ......................... 6
Performance .................................................................................................. 7
Key Management Framework..................................................................... 7
Encryption Algorithms ................................................................................ 7
Data Types Supported with TDE .............................................................. 7
Database Encryption API............................................................................ 8
Batch jobs: Protection of username and password ...................................... 8
Oracle Database 10g Release 2 Proxy Enhancements................................. 8
Proxy Technology Overview ...................................................................... 9
Protocol Support...................................................................................... 9
Credential Proxy ....................................................................................... 9
Application User Proxy Authentication.............................................. 10
Enterprise User Security................................................................................. 11
Enterprise Privilege Administration .................................................... 11
Shared Schemas ...................................................................................... 12
Password-Authenticated Enterprise Users......................................... 13
Kerberos Based Authentication with Enterprise User Security ...... 13
Protecting Sensitive Information At The Row Level ................................ 14
Oracle Database Row Level Security............................................................ 14
Oracle Virtual Private Database.................................................................... 14
Virtual Private Database Relevant Column Enforcement.................... 15
Virtual Private Database Relevant Column and Masking..................... 16
Partitioned Fine-grained Access Control............................................ 16
Global Application Context.................................................................. 17
Externalized Application Context........................................................ 17
Data Classification with Oracle Label Security ........................................... 18
Identity Management Integration............................................................. 19
Oracle Policy Manager ............................................................................... 20
Secure Application Role ................................................................................. 20
Auditing For Compliance............................................................................... 21
Robust, Comprehensive Auditing........................................................ 21
Efficient Auditing................................................................................... 22
Customizable Auditing .......................................................................... 22
Fine-grained, Extensible Auditing ....................................................... 22
Oracle Database 10g Release 2 Security
Page 2
Enhanced Administrator Auditing ...................................................... 23
Auditing For Three-Tier Applications ................................................ 24
Oracle Advanced Security .............................................................................. 24
Industry Standard Encryption and Data Integrity............................. 24
Easy Configuration, No Changes to your Applications ................... 25
Strong Authentication Services for Oracle Database 10g ................ 25
Closer Look At Kerberos Authentication for Directory Users....... 26
Closer Look at RADIUS (Remote Dial-in User Service)................. 26
PKCS #12 Support................................................................................ 27
PKCS#11 Support, Smart Cards/Hardware Security Modules ...... 27
Industry Standards, Interoperable ....................................................... 27
A Closer Look At PKI............................................................................... 28
Wallets Stored in Oracle Internet Directory ...................................... 29
Multiple Certificate Support ................................................................. 29
Strong Wallet Encryption...................................................................... 29
SSL............................................................................................................ 29
Java Security................................................................................................. 30
JDBC Security......................................................................................... 30
Secure Connections for Virtually Any Client..................................... 31
Use of the Secure JDBC Implementation .......................................... 31
Summary ........................................................................................................... 32
Oracle Database 10g Release 2 Security
Page 3
Oracle Database 10g Release 2 Security
INTRODUCTION
The emergence of identity theft
as an organized criminal activity
has placed new focus on the
need to protect sensitive
information from both insiders
and those who present
fraudulent credentials to gain
access to sensitive information
For over 25 years Oracle has delivered state-of-the-art security solutions to
government and commercial customers worldwide. Oracle Database 10g Release 2
continues that tradition by introducing powerful new features to address security,
privacy and regulatory compliance. The emergence of identity theft as an organized
criminal activity has placed new focus on the need to protect sensitive information
from both insiders and those who present fraudulent credentials to gain access to
sensitive information. While no single security technology will provide absolute
security, IT professionals are taking steps to lockdown access to data and closely
monitor the enterprise for suspicious activity. Oracle Database 10g Release 2
introduces advanced encryption technology to protect sensitive information and
important security features to help application developers build even more secure
applications going forward.
TRANSPARENT DATA ENCRYPTION
Perhaps the most important new feature in Oracle Database 10g Release 2 is the addition of
transparent data encryption (TDE) to the Oracle Advanced Security option. Oracle can now
transparently encrypt data on the network and inside the database. TDE sets the standard for
database encryption by tightly coupling encryption with the database to provide a highly
Transparent data encryption
sets the standard for database
transparent encryption solution to protect sensitive data written to disk or backup media.
Social security numbers, credit card numbers and other personally identifiable information
encryption by tightly coupling
(PII) can be easily encrypted without breaking the existing application. Most encryption
encryption with the database
solutions require specific calls to encryption functions within the application code plus the
to provide a highly
creation of addition views inside the database. This is expensive and time consuming because
transparent encryption
it requires extensive understanding of an application as well as the ability to write and
solution to protect sensitive
data written to disk or backup
media.
maintain software. Most organizations don't have the time or expertise to modify existing
applications to make calls to encryption routines. In addition, the task of retrofitting an
existing application with encryption is manual and error prone. You have to hand code
encryption calls everywhere for the application to work.
Oracle Database 10g Release 2 Security
Page 4
TDE solves this problem by deeply embedding encryption in the Oracle database. With a
simple alter table statement an administrator can encrypt sensitive data within an application.
SQL>Alter table credit_rating modify(person_id encrypt no salt)
New application tables can simply specify the encrypt key word in the actual table definition.
SQL> Create table orders
(order id number (12) not null,
customer_id
number(12) not null,
credit_card
varchar2(19) encrypt));
Application Transparent: No Views Required
Application logic performed through SQL will continue to work without modification. In
other words, applications can use the same syntax to insert data into an application table and
the Oracle database will automatically encrypt the data before writing the information to disk.
Existing database backup routines will continue to work with the added assurance that
sensitive data is encrypted on the backup tapes. Subsequent select operations will have the
data transparently decrypted so the application will continue to work normally. This is
important because existing applications expect to see application data unencrypted.
Credit card numbers, social security
numbers and other sensitive information
remains encrypted on backup media for
regulatory compliance with protection
against Identity theft.
Oracle Advanced
Security
Strong Authentication
Data
Automatically
Decrypted
Through
SQL Interface
Oracle Advanced Security
Network Encryption
Data
Written
To Disk
Automatically
Encrypted
Oracle Advanced
Security
Transparent
Data
Encryption
Data Encrypted
In Backup Files
TDE doesn't require the creation of
database views, database triggers or
modification to existing SQL.
TDE doesn't require the creation of database views, database triggers or
modification to existing SQL. Tables containing sensitive data simply need to be
altered with a single command and the data stored in those tables will be encrypted
on disk.
Oracle Database 10g Release 2 Security
Page 5
Transparent Key Management and Separation of Duty
Historically one of the most difficult tasks associated with encryption has been key
management. Oracle has provided powerful encryption functionality inside the
database since Oracle8i. However, that functionality required the application
owner or user to manage the encryption key. TDE manages the encryption keys
transparently. Encryption works by passing clear text data along with a secret,
known as the key, into an encryption program. The encryption program encrypts
the clear text data using the supplied key and returns the data encrypted. TDE
solves the key management problem by generating and maintaining a master key for
the entire database. The database master key is used to encrypt table specific
encryption keys transparently created by Oracle. Without the master key, no data
can be decrypted within the Oracle database. Upon starting up the Oracle
database, an administrator opens an object known as an Oracle Wallet using a
password. The wallet contains the master key and must be opened before
encrypted data is accessed. The password for the wallet can be separate from the
system or DBA password. The database master key must be initialized prior to
encryption first being used in the database.
SQL> alter system set encryption key identified by "1wq!r23t";
A separate security DBA can be assigned responsibility for managing the master
encryption key.
DBA starts up database
Security DBA
opens wallet
containing Master encryption key
Oracle Database 10g
Release 2
Oracle Database 10g Release 2 Security
Page 6
Performance
Encryption typically creates problems for existing application indexes because the
index data isn't encrypted. TDE encrypts the index value associated with a given
application table. This means that equality searches within an application will see
little to no decrease in performance. For example, assume an application contains a
table called CREDIT_RATING with a column named PERSON ID that needs to
be encrypted.
SQL>Connect appowner
SQL>Alter table credit_rating modify(person_id encrypt no salt)
SQL>Create index person_id_idx on credit_rating (PERSON_ID)
SQL>Select score from credit_rating where PERSON_ID = '235901';
In this example, the PERSON_ID values would be encrypted in both the base
table and the index. The Oracle database will use the new index even though the
PERSON ID value is encrypted in the index.
Key Management Framework
TDE wallet integration has technology built-in which manages the master
encryption key. This allows master encryption keys to be updated and encrypted
data on backup tapes to be decrypted when loaded back into the Oracle database.
Encryption Algorithms
TDE supports the 3DES and the Advanced Encryption Standard (AES) encryption
algorithms for key sizes up to 256 bits.
Data Types Supported with TDE
The first release of TDE will support the following data types. Additional data
types will be supported in future releases.
Data Type
Transparent Data Encryption Supported
varchar2
Yes
nvarchar2
Yes
number
Yes
date
Yes
binary float
Yes
binary_double
Yes
timestamp
Yes
raw
Yes
char
Yes
nchar
Yes
Oracle Database 10g Release 2 Security
Page 7
Database Encryption API
For customers who wish to manually call encryption routines, Oracle provides the
DBMS_CRYPTO toolkit. The DBMS_CRYPTO toolkit was introduced in Oracle
Database 10g Release 1 and replaced the DBMS_OBFUSCATION_TOOLKIT
introduced in Oracle8i. The DBMS_CRYPTO toolkit is easier to use than the
DBMS_OBFUSCATION_TOOLKIT. The DBMS_CRYPTO toolkit supports
the 3DES and AES encryption algorithms.
BATCH JOBS: PROTECTION OF USERNAME AND PASSWORD
Oracle Database 10g Release 2 introduces new functionality to dramatically
improve the security of batch jobs which use a username and password to connect
to the Oracle database. Historically, Oracle Wallets have been used to manage
PKI credentials for authentication to the Oracle database. Starting with Oracle
Database 10g Release 2, Oracle Wallets can be used to store a username and
password. This enables a user to simply use a "/" to connect to the database, but
still authenticate using a username and password.
sqlplus /@prodapp
This new capability will address the issue with exposing username and passwords
on unix systems when executing the ps -ef command. This new feature is also
useful for jobs which need to connect from a middle tier using a username and
password and run a batch job within an application schema.
ORACLE DATABASE 10G RELEASE 2 PROXY ENHANCEMENTS
New in Oracle Database 10g Release 2 is the ability
to specify a proxy account when connecting to the
database using command lines tools such as
SQL*Plus.
Oracle Database 10g Release 2 introduces exciting enhancements to the already
robust proxy capabilities available with Oracle. The OCI proxy authentication
feature was initially released in Oracle8i, and allowed a database client to set up,
within a single database connection, a number of “lightweight” user sessions, each
of which is associated with a different database user. New in Oracle Database 10g
Release 2 is the ability to specify a proxy account when connecting to the database
using command lines tools such as SQL*Plus. In other words, OCI is no longer a
requirement for using the Oracle proxy technology.
sqlplus scott[app_schema]/mypassword@prodapp
This feature is also integrated with Oracle Enterprise User Security. Using the
above example, the user scott could be an enterprise user managed in the Oracle
Internet Directory. Using the new feature with the new Oracle Wallet capability to
store username and password would change the above syntax to the following:
sqlplus [app_schema]/@prodapp
This feature is particularly useful for increasing the security of existing applications.
Historically, applications have used the model of one big user to connect to an
application. The proxy technology available since Oracle8i enabled applications to
change that model. However, the capability wasn't available with command line
Oracle Database 10g Release 2 Security
Page 8
tools. This new Oracle Database 10g Release 2 feature solves that problem and will
enable developers to build even more secure applications.
Proxy Technology Overview
Proxy technology was implemented by Oracle so that a specific middle tier can be
restricted to acting on behalf of a specified set of users. Once the middle tier has
authenticated itself to the database, it can establish a lightweight session on behalf
of those users without submitting user-specific authentication information such as
passwords. Moreover, Oracle can be configured so that a specific middle tier can
assume a specific set of database roles when acting at the database on behalf of a
specific user. In other words, the database uses both middle tier identity and client
user identity when determining what privileges to grant a middle tier acting for a
user through a lightweight session.
Oracle’s proxy authentication feature addresses a number of security problems
associated with three-tier systems. Since each middle tier can be delegated ability to
authenticate and act on behalf of a specific set of users, and with a specific set of
roles, proxy authentication supports a limited trust model for the middle tier server,
and avoids the problem of an all-privileged middle tier. It is also possible to give
more privilege to a trusted middle tier (e.g., one that is within the corporate
firewall) than to a less-trusted middle tier (e.g., one that is outside the firewall and
thus more vulnerable to compromise). Moreover, because the identity of both
middle tier and user are passed to the database through a lightweight user session,
this feature makes it easier to audit the actions of users in a three-tier system, and
thus improves accountability.
Protocol Support
Oracle8i supported the proxy authentication for communications to the database
which used the Oracle Call Interface (OCI), Oracle9i proxy authentication
supported "thick" Java Database Connectivity (JDBC) access to the database.
Oracle Database 10g supports both “thick” and "thin" access to the database. A
middle tier server can now access the Oracle Database 10g on behalf of a client
user by establishing a lightweight session for that user through either OCI or JDBC.
Oracle Database 10g Release 2 supports proxy connections for standard database
connections using tools such as SQL*Plus.
Credential Proxy
Oracle8i supported proxy authentication for database users authenticated by
password only; the password could be passed as an attribute to be verified by the
database, or not, depending on an organization’s security preferences.
Oracle Database 10g Release 2 Security
Page 9
Oracle Database 10g extends proxy
authentication to include the
Distinguished Name (DN).
Oracle Database 10g extends proxy authentication to include the Distinguished
Name (DN). This provides strong, three-tier security by enabling an SSL credential
to be passed to the database for purpose of identifying (but not authenticating) the
user. (SSL cannot be used to authenticate a user through multiple tiers, since it is a
point-to-point protocol rather than an end-to-end protocol.) For example, a user
can authenticate to a middle tier using SSL, the middle tier can extract the DN
from the certificate and pass it to the database. As an additional benefit, the DN or
certificate is available in the lightweight session and the elements contained therein
can be used with Virtual Private Database to limit access. For example, an
organization could restrict data access based on the Organizational Unit (OU)
element in a user certificate presented to the database.
The database can use the DN or certificate to look up a user in Oracle Internet
Directory or other LDAP-based directory certified for Enterprise User
Management (an Oracle Advanced Security feature). Integration of proxy
authentication with Enterprise User Security enables the user identity to be
maintained throughout all tiers of an application, yet the user need only be created
once, in the directory. This also enables Enterprise User Security to be used in
three-tier applications, instead of merely client-server, as was the case with Oracle8i.
Application User Proxy Authentication
Many applications use session pooling to set up a number of sessions which are
reused by multiple users. In this context, “application users” are users who are
authenticated to the middle tier of an application, but are not known to the
database. Oracle introduces application user proxy authentication for these types
of applications.
In this model, the middle tier passes a client identifier to the database upon session
establishment. (The client identifier could be anything that represents the client
connecting to the middle tier; a cookie, for example, or an IP address.) The client
identifier, representing the application user, is available in user session information
and can also be accessed within an application context (using the USERENV
naming context), thus enabling applications to use Virtual Private Database to limit
user access, even if the application users are not known to the database.
Applications can set up and reuse sessions, while still being able to keep track of
the “application user” in the session.
Applications can easily reset the client identifier and thus reuse the session for a
different user, enabling high performance for web-based applications. For OCIbased connections, alteration of the client identifier is piggybacked on other OCI
calls, to further enhance performance.
Oracle Database 10g Release 2 Security
Page 10
Application user proxy
authentication is particularly
valuable in e-business
applications with thousands of
users, as it supports per-user
data access while meeting user
scalability requirements.
Application user proxy authentication, available in thin JDBC, thick JDBC and
OCI, provides the benefits of connection pooling without the overhead of setting
up and managing separate user sessions (even “lightweight” ones), and enables even
those applications whose users are unknown to the database to utilize Virtual
Private Database. Application user proxy authentication is thus particularly
valuable in e-business applications with thousands of users, as it supports per-user
data access while meeting user scalability requirements.
ENTERPRISE USER SECURITY
Identity Management is one of the most critical operational components in any IT
organization. Most organizations face daunting obstacles in user management.
Users within an organization often have far too many user accounts, a problem
exacerbated by the growth in web-based self-service applications —every other
week, users have a new user account and password to remember. Organizations
who want “per user” data access and accountability do not want the administrative
challenges of managing users in each database a user accesses.
This problem is compounded for web-facing, e-business applications. An
organization opening its mission-critical systems to partners and customers does
not want to create an account for each partner in each database the partner
accesses, yet “per partner” privilege and “per partner” accountability is highly
desired. Oracle Enterprise user security addresses the requirement of per-user data
access with centralized user management.
Enterprise Privilege Administration
An inherent challenge of any distributed system, including three-tier systems, is that
common application information is often fragmented across the enterprise, leading
to data that is redundant, inconsistent, and expensive to manage. Directories are
being viewed by an increasing number of Oracle and third-party products as the
best mechanism to make enterprise information available to multiple different
systems within an enterprise. Directories also make it possible for organizations to
access or share certain types of information over the Internet, for example, through
a virtual private network. The trend towards directories has been accelerated by the
recent growth of the Lightweight Directory Access Protocol (LDAP).
A specific type of enterprise information commonly proposed for storage in a
directory is privilege and access control information. Both user privileges,
represented as roles, and object constraints, represented as Access Control Lists
(ACLs) listing those users who may access an object, may be stored in a directory.
Directory information which specifies users’ privileges or access attributes is
sensitive, since unauthorized modification of this information can result in
unauthorized granting or denial of privileges or access to users. A directory
maintaining information on behalf of the enterprise must ensure that only
authorized system security administrators can modify privilege or access
information maintained in the directory. Oracle Internet Directory supports
Oracle Database 10g Release 2 Security
Page 11
attribute-level access control and optional strong user authentication through SSL,
and can be configured so that only specific users who are strongly authenticated are
allowed to update directory information about user privileges or access.
Oracle8i introduced enterprise roles: centrally administered privilege sets,
maintained in Oracle Internet Directory. Enterprise roles enable strong, centralized
authorization of users. Also, an administrator can add capabilities to enterprise
roles (granted to multiple users) without having to update the authorizations of
each user independently.
Shared Schemas
The schema-independent user, introduced in Oracle8i, extends the benefits of
directory integration by allowing the database to delegate administration of user
identity, as well as privilege, to the directory. Schema-independent users—also
known as users with shared schemas—are database users whose identity is maintained
in a central LDAP repository; specifically, Oracle Internet Directory. When a
schema-independent user connects to the database, the database queries the
directory to determine if the user is registered there, and if so, to what database
schema the user should be mapped, and what roles the user should obtain.
Schema-independent users
reduce the administrative
burden associated with
managing users in the
enterprise.
Suppose, for example, that there are 500 users of an application, who require access
to data on several database servers in the enterprise. Instead of maintaining 500
different user accounts on each database, Oracle allows the system administrator to
create a single shared schema (such as HRAPPUSER for the HR application), with
appropriate privileges, on each database, and then create 500 enterprise users in an
Oracle Internet Directory. When they connect to any specific database, these users
are mapped to the appropriate schema on the database (e.g. HRAPPUSER), and
inherit the privileges associated with the schema, as well as any additional privileges
that are associated with the roles granted to them in the directory. Although these
users share a common schema, individual users’ identities are associated with their
sessions by the database, and are used for access control or auditing purposes.
Once created, these user accounts in LDAP can be used within multiple
applications as well.
The shared schema feature has a number of benefits. It reduces the administrative
burden associated with managing users in an enterprise, and allows effective
management of much larger communities of users than was previously possible.
Moreover, it can provide a mechanism for integrating user account and privilege
management across tiers in a multi-tier system, as long as the middle tier also
supports management of user identities and privileges in the directory. In such a
system, new users and their privileges can be registered once in a directory, and this
gives them appropriate access to the middle tier as well as any databases in the
enterprise that they need to access. In the future, it should be possible to build
three-tier systems (e.g., web storefronts) in which new users can register themselves
with a web server, and the web server then creates an entry for these users in the
Oracle Database 10g Release 2 Security
Page 12
directory, giving them access to information in appropriate databases which pertain
to them.
Password-Authenticated Enterprise Users
In Oracle8i, Enterprise User Security relied on client-side wallets to authenticate
enterprise users. This requires SSL to establish secure channels between (i) the
client and the server, and (ii) the database server and an LDAP-compliant directory.
The authentication mechanism uses SSL and X.509 v3 certificates, requiring
installation of Oracle wallets on both the client and the server.
Although this is a highly effective mechanism to ensure the integrity of the user
authentication process, it requires SSL configuration and client-side wallets.
Because this requires an X.509 certificate issued by a trusted Certificate Authority
for each enterprise user, overhead can be significant for large organizations. Both
SSL and an Oracle wallet must be installed on both the client and the server. This
is a backwards-compatibility issue for certain earlier releases, and adds complexity
to the setup and configuration process.
In Oracle Database 10g, enterprise
users can use password-based
authentication, removing the
requirement for client-side wallets and
most Secure Socket Layer (SSL)
processing.
In Oracle Database 10g, enterprise users can use password-based authentication,
removing the requirement for client-side wallets and most Secure Socket Layer
(SSL) processing. Furthermore, enterprise users can use a single enterprise
username and password to connect to multiple databases, if desired. In addition,
Oracle provides a User Migration Utility for use by an administrator to migrate
users from multiple, independent databases to one central LDAP directory service
for centralized user and privilege management. With its reduced processing
overhead, improved ease-of-use, and simplified setup and administration, this
release is particularly useful for large user communities accessing multiple
applications.
Kerberos Based Authentication with Enterprise User Security
Oracle Database 10g Release 1 enterprise user security supports kerberos as an
additional authentication mechanism. The addition of kerberos gives customers
three options when using enterprise user security - SSL, password or kerberos
based authentication.
Oracle Database 10g Release 2 Security
Page 13
PROTECTING SENSITIVE INFORMATION AT THE ROW LEVEL
Privacy and compliance requirements are
increasing the need for row level security
because more information is being stored
in a single location.
Database objects include the tables and views which store and limit access to
application data. A typical database application may contain dozens, hundreds or
even thousands of database tables. Access to these tables is mediated using
database object privileges such as SELECT, UPDATE, INSERT and DELETE.
Object privileges can be granted directly to an application user or managed through
enterprise roles. Roles contain the object privileges necessary to perform a specific
job function. Oracle has robust support for roles, allowing application developers
to break down access privileges into a least privilege model. Application users can
have many roles active depending on their job responsibility. For example, the
object privilege SELECT might be given to the HR_USER role. In most cases
object privileges are sufficient to satisfy stated security policies. For example, a user
can be denied access to purchase order information by simply ensuring the user
does not the role containing access to the underlying purchase order application
tables. However, in today's complex Internet connected world, object privileges
sometimes aren't sufficient for controlling access. For example, data consolidation
typically involves moving data from multiple databases into a single database. This
may result in data from different organizations or companies being consolidated
into the same database object. Object privileges stop at the object level and don't
drill down to the row level or individual data element. Row level security is the
ability to control access to individual rows within a database table after an
application user has been given object privileges on the database table. This type of
access control is difficult to implement programmatically and increases application
complexity.
ORACLE DATABASE ROW LEVEL SECURITY
Oracle8i set a new standard in database security with the introduction of Oracle
Label Security and Virtual Private Database (VPD). Oracle Database 10g
introduces exciting new enhancements to both Oracle Label Security and Virtual
Private Database. Oracle Database 10g allows Oracle Label Security policies to be
managed in the Oracle Identity Management infrastructure. Oracle Database 10g
Virtual Private Database introduces column relevant security policy enforcement
and optional column masking. These features provide tremendous flexibility for
meeting privacy mandates and other regulations.
ORACLE VIRTUAL PRIVATE DATABASE
Oracle Virtual Private Database has been
evaluated twice (Versions 8i and 9.2)
using the International Common Criteria at
EAL4
Virtual Private Database was introduced in Oracle8i and includes programmable
row level security and secure application context. Virtual Private Database enables
a developer or DBA to attach a security policy to an application table, view or
synonym. The security policy is invoked when SQL statements access the object
associated with the policy. Oracle secure application context can be used in
conjunction with the security policy to determine how to apply the policy. The
security policy is written using PL/SQL.
Oracle Database 10g Release 2 Security
Page 14
Security is stronger, because it is enforced
by the database, no matter how a user
accesses data, this addresses the
application security bypass problem.
Within the enterprise, usage of Virtual Private Database can result in lower cost of
ownership in deploying applications. Security can be built once, in the database,
rather than in each application that accesses the data. Security is stronger, because
it is enforced by the database, no matter how a user accesses data. Virtual Private
Database is a key enabling technology for organizations building hosted, web-based
applications, as well as for Oracle itself. It also address a common problem with
application based logic and that is called the application bypass problem. The
application bypass problem refers to situations where a user attempts to access data
using an tool other than the application which is normally used to access data. In
these situations data may be less secure because the security logic was in a single
data access path and not bound to the data itself.
Direct or indirect access to a table with an attached security policy causes the
database to consult a function implementing the policy. The policy function
returns an access condition known as a predicate (a WHERE clause) which the
database appends to the user’s SQL statement, thus dynamically modifying the
user’s data access. A secure application context enables access conditions to be
based on virtually any attributes an application deems significant, such as
organization, cost center, account number, or position.
For example, an Web order entry system can enforce access based on customer
number, and whether the user is a customer or a sales representative. In this way,
customers can view their order status online (but only for their own orders), while
sales representatives can view multiple orders, but only for the their own
customers.
Virtual Private Database Relevant Column Enforcement
Oracle Database 10g allows Virtual Private Database policies to be associated with
specific columns in application tables. Only when those columns are referenced is
the policy invoked.
Select store_id, revenue…
Where
department = ‘Engineering’
Store ID
Revenue
Department
AX703
10200.34
Finance
B789C
18020.34
Engineering
JFS845
12341.34
Legal
SF78SD
13243.34
HR
Oracle Database 10g Release 2 Security
Page 15
OK
Virtual Private Database Relevant Column and Masking
This option tells the database to
return all rows regardless of the
policy restriction, but mask, or null
out, the values
In addition to relevant column enforcement, Oracle Database 10g introduced a
new enforcement option for policies applied to columns. This option tells the
database to return all rows regardless of the policy restriction, but mask, or null out,
the values for column in the rows which didn't meet the policies restrictions. For
example, assume a virtual private database policy is written using PL/SQL and
assigned to the revenue column. A SQL statement is submitted to the Oracle
Database 10g and attempts to retrieve the revenue for all departments. The policy is
enforced because the SQL statement references the revenue column. In Oracle8i
and Oracle9i only rows matching the department 'Engineering’ would have been
returned. In oracle Database 10g, the policy can be applied such that all rows are
returned, but the column values in the Revenue column are masked for rows which
don't match the department 'Engineering'.
Store ID
Revenue
Department
Select revenue….
AX703
10200.34
Finance
OK
Where
department = ‘Engineering’
B789C
18020.34
Engineering
OK
JFS845
12341.34
Legal
OK
SF78SD
13243.34
HR
OK
Partitioned Fine-grained Access Control
Oracle9i introduced the ability to partition security policy enforcement by
application, thus facilitating Virtual Private Database deployment. For example,
suppose both an Order Entry and Inventory application access the Orders table.
The Order Entry application limits access based on customer number, while the
Inventory application limits access based on part number. It is very useful to be
able to “partition” fine-grained access control so that different security policies apply,
depending upon which application is accessing the data. Otherwise, application
developers of the respective Order Entry and Inventory applications have to agree
upon a mutual policy, which may not be feasible or possible.
Oracle enables partitioning of Virtual Private Database through policy groups and a
driving application context. A driving application context securely determines
which application is accessing data, and policy groups facilitate managing the
policies which apply by application. Oracle also supports default policy groups,
which always apply to data access. For example, an application “striped” for
application hosting using a subscriber ID could have a default policy, “Subscriber,”
that always enforces data separation by subscriber, and additional policy groups for
Oracle Database 10g Release 2 Security
Page 16
Inventory and Order Entry-based access, which apply depending on the particular
application accessing data.
Partitioned application context facilitates the development of applications using
Virtual Private Database, because applications can have different security policies
based upon their individual application needs.
Global Application Context
In order to support hundreds of thousands of users, many web-based applications
use connection pooling to achieve the required high scalability. These applications
set up and reuse connections rather than create different sessions for each user.
For example, two web users, Diane and Sanjay, connect to a middle tier application,
which establishes a session in the database used by the application. The application
is responsible for switching the username on the connection, so that, at any given
time, it’s either Diane or Sanjay using the session.
Global application contexts allow multiple
sessions to share the same security
attributes.
Oracle Virtual Private Database capabilities facilitate connection pooling by
allowing multiple connections to access one or more global application contexts,
instead of setting up an application context for each user session. Global
application contexts provide additional flexibility for web-based applications to use
Virtual Private Database, as well as enhanced performance through reuse of
common application contexts among multiple sessions instead of setting up persession application contexts.
Application user proxy authentication can be used with global application context
for additional flexibility and high performance in building e-business applications.
For example, suppose a web-based application that provides information to
business partners has three types of users: Gold, Silver, and Bronze, representing
different levels of information available. Instead of each user having his own
session — with individual application contexts — set up, the application could set
up global application contexts for Gold, Silver or Bronze and use the client
identifier to point the session at the correct context, in order to retrieve the
appropriate type of data. The application need only initialize the three global
contexts once, and use the client identifier to access the correct application context
to limit data access. This provides performance improvements through session
reuse, and through accessing global application contexts set up once, instead of
having to initialize application contexts for each session individually.
Externalized Application Context
Virtual Private Database does allow simple security attributes to be initialized from
attributes stored in Oracle Internet Directory. The ability to identify attributes in
Oracle Internet Directory that can be used for initialization of an application
context further enhances the ability of organizations to leverage directory-based
user management and derive a lower cost of ownership. For example, an Order
Entry application context could be initialized externally by populating “cost
center” attributes automatically, based on corresponding attributes defined for a
Oracle Database 10g Release 2 Security
Page 17
user in Oracle Internet Directory. The ability to predefine “externally initialized”
application contexts reduces the cost of development, since developers do not need
to write LDAP calls to retrieve attributes from a directory into an application
context. This also avoids duplication of data in both a database and a directory, by
enabling Virtual Private Database to use attributes stored in Oracle Internet
Directory for row level security.
In addition, Oracle Database 10g Release 1 introduced a new parameter with which
helps increase the performance of VPD. This new option allows three parameters
to be added to the “apply_policy” command: Static, context sensitive and dynamic
Static: When
the predicate (WHERE-clause) does not change (for example
“WHERE 9 a.m. < sysdate < 6 p.m.”), the policy is only executed once (even if
the result of the query varies depending on the time the statement is issued) and
stored in memory, which greatly enhances performance.
Context Sensitive: This is used when the predicate changes infrequently, for example
when another user logs on: “select * from orders WHERE customer_id in (select
cust_id from customers where last_name = (sys_context('userenv','user_name')));
As long as one customer queries the orders table, the policy does not need to be
executed each time, since it doesn't change. Only when another customer logs on
and queries the same table, which of course results in different rows being returned,
the policy is executed again. Depending on the frequency of changes, this is a
significant performance enhancement.
Dynamic: For compatibility reasons, this is the default when not specified. The
policy is executed each time a protected objects is accessed.
DATA CLASSIFICATION WITH ORACLE LABEL SECURITY
Oracle Label Security helps customers
address regulatory compliance challenges
by combining data classification technology
with the concept of a user security clearance
to enable strong access controls in the
Oracle database.
Oracle Label Security has been evaluated
twice (versions 8.1.7 & 9.2) using the
International Common Criteria at EAL4.
Unlike Virtual Private Database where the DBA or developer writes the security
policy using PL/SQL, Oracle Label Security provides a security policy and data
dictionary for managing access to data using data classification and security
clearances. Oracle Label Security helps customers address regulatory compliance
challenges by combining data classification technology with the concept of a user
security clearance to enable strong access controls in the Oracle database. Data
classification labels, also referred to as sensitivity labels, can be assigned to
individual rows in an application table, enabling row level security, or used within
program units to assign classification labels to application modules. User security
clearances and data classification labels can be used throughout the enterprise to
make access control decisions.
Data classification labels are what determine an application user’s ability to view
and update application data. Data classification labels provide sophisticated
controls which are not possible with traditional object level privileges. For
example, suppose an order entry application security policy states that the
application must be capable of limiting access to purchase orders labeled Sensitive?
By default, giving an application user the SELECT privilege on the purchase orders
Oracle Database 10g Release 2 Security
Page 18
table will allow the user to view all information. One approach to solving this
requirement is to create two database views. The first view will exclude all the
purchase orders deemed company sensitive and the second will include all the
purchase orders. This approach is problematic because the security policy may
change to include new levels of sensitivity. In addition, application users will need
to be assigned the correct enterprise role depending on their authorization to view
company sensitive information.
Data classification labels solve this security requirement and eliminate the need for
additional views. Oracle Label Security data classification labels can contain three
components: a single hierarchical level or classification, one or more horizontal
compartments or categories and one or more groups.
Oracle Label Security Authorizations
Sensitive
Application Table
Case No.
Location
Department
Sensitivity Label
AX703
Chicago
Finance
Unclassified
OK
B789C
Dallas
Engineering
Sensitive
OK
JFS845
Chicago
Legal
Highly Sensitive
SF78SD
Miami
Figure 4. Example
Application
Table
Human
Resource
Confidential:
HR
Identity Management Integration
Managing Oracle Label Security in Oracle
Identity Management provides an easy way
to extend security clearances to the entire
enterprise.
Oracle Database 10g allows Oracle Label Security policies to be centrally created in
the Oracle Identity Management infrastructure. Leveraging the Oracle Internet
Directory, the Oracle Label Security policies are created in a central location for the
entire enterprise. This simplifies provisioning and administration of security across
all databases in the enterprise or GRID. Organizational sensitivity labels and
application user security clearances can be managed in one location.
If an application user needs additional access, their security clearance can be raised
and the information will be automatically propagated to all registered databases in
the enterprise. If an employee changes organizations, takes a leave of absence or is
terminated, their access can be disabled from one location.
Oracle Database 10g Release 2 Security
Page 19
Oracle Policy Manager
Oracle Policy Manager is an administration tool for both Oracle Label Security and
Oracle Virtual Private Database. Oracle Label Security policies can be managed
using Oracle Policy Manager by connecting as the user LBACSYS or another user
with appropriate privileges.
SECURE APPLICATION ROLE
Secure Application Roles can be used to
restrict access to roles granted to a user
based on a policy written in PL/SQL.
A long-standing security problem has been that of limiting how users access data,
to prevent users from bypassing application logic to access data directly. For
example, in web-based applications, even if users are known to the database, it may
not be desirable to allow them to have direct access to data. To-date, this has been
a very difficult security problem to solve, because there has been no secure way to
validate which application is used to access data — e.g. a malicious user could
write a program that appears to be a valid human resources application, but, in fact,
is not.
Oracle addresses this challenge through a secure application role: a role invoked by
a package. The package can perform any desired validation to ensure that the
appropriate conditions are met before the user can exercise privileges granted to
the role in the database. The database ensures that it is only the trusted package
implementing the role that determines the correct access conditions. The set role
operation is performed within the package.
In three-tier systems using proxy authentication, the package can validate that the
user session was created by a middle tier, and thus that the user is accessing the
database through the correct application. The secure application role can also
ensure that a user connecting directly to the database is not able to access any data.
A secure application role can enforce other security conditions, as well; for
example, the user may not be allowed to access especially sensitive human
resources data from the Internet.
Oracle Database 10g Release 2 Security
Page 20
A secure application role enhances the native strong authentication and row level
security features of the database to prevent users from assuming any privileges
unless the correct access conditions are met. Secure application role solves a very
difficult security issue and help address web based access control issues.
sqlplus appsecofficer/mypassword
SQL> create role hr_actions identified using hr_sec_package;
SQL> grant select, insert, update on hr_workflow to hr_actions;
SQL> grant hr_actions to jsmith;
sqlplus jsmith/mypassword
SQL> set role hr_actions
ERROR at line 1:
ORA-28201: Not enough privileges to enable application role
'HR_ACTIONS'
SQL> execute hr_sec_package;
PL/SQL procedure successfully completed.
AUDITING FOR COMPLIANCE
Oracle standard and fine grained
auditing can help address internal
controls mandated by such regulations
as Sarbanes-Oxley.
A critical aspect of any security policy is maintaining a record of system activity to
ensure that users are held accountable for their actions. Auditing helps deter
unauthorized user behavior which may not otherwise be prevented. It is
particularly useful for ensuring that authorized system users do not abuse their
privileges. Oracle builds upon the existing robust and comprehensive auditing
capabilities of the database to include fine-grained auditing, that can serve as an
“early warning system” of users misusing data access privileges, as well as an
intrusion detection system for the database itself.
Oracle standard and fine grained auditing can help address internal controls
mandated by such regulations as Sarbanes-Oxley.
Robust, Comprehensive Auditing
The Oracle audit facility allows businesses to audit database activity by statement,
by use of system privilege, by object, or by user. For example, one can audit
activity as general as all user connections to the database, and as specific as a
particular user creating a table. One can also audit only successful operations, or
unsuccessful operations. For example, auditing unsuccessful SELECT statements
may catch users on “fishing expeditions” for data they are not privileged to see.
Audit trail records can be stored in an Oracle table, making the information
available for viewing through ad hoc queries or any appropriate application or tool,
or combined with operating system audit trails on selected operating systems, for
ease of management.
Oracle Database 10g Release 2 Security
Page 21
Efficient Auditing
Oracle implements auditing efficiently: statements are parsed once for both
execution and auditing, not separately. Also, auditing is implemented within the
server itself, not in a separate, add-on server which may be remotely situated from
the statements which are being executed (thereby incurring network overhead).
The granularity and scope of these audit options allow Oracle customers to record
and monitor specific database activity without incurring the performance overhead
that more general auditing entails. And, by setting just the options of interest,
Oracle customers can avoid “catch-all, and throw away” audit methods which
intercept and log all statements, and then filter them to retrieve the ones of interest.
Customizable Auditing
To record customized information that is not automatically included in audit
records, Oracle can use triggers to further customize auditing conditions and audit
record contents. Database triggers are user-defined sets of PL/SQL or Java
statements, stored in compiled form. While users explicitly execute stored
procedures, database triggers are automatically executed (or “fired”) within the data
server based on pre-specified events. A trigger is defined to execute either before
or after an INSERT, UPDATE or DELETE, so that when that operation is
performed on that table, the trigger automatically fires. For example, one could
define a trigger on the EMP table to generate an audit record whenever an
employee’s salary is increased by more than 10 percent and include selected
information, such as before and after values of SALARY.
Fine-grained, Extensible Auditing
Oracle introduces extensible,
fine-grained auditing, that can
alert administrators to misuse
of legitimate data access rights
as well as serving as an
intrusion detection system for
the database.
Oracle expands upon the existing robust, granular auditing capabilities of the
database by introducing extensible, fine-grained auditing. Fine-grained auditing
enables organizations to define specific audit policies that can alert administrators
to misuse of legitimate data access rights.
Fine-grained auditing allows organizations to define audit policies, which specify
the data access conditions that trigger the audit event, and use a flexible event
handler to notify administrators that the triggering event has occurred. For
example, an organization may allow HR clerks to access employee salary
information, but audits access when salaries greater than $500K are accessed. The
audit policy (“where SALARY > 500000”) is applied to the EMPLOYEES table
through an audit policy interface (a PL/SQL package). Oracle Database 10g
extends support for Fine-gained auditing to INSERT, UPDATE and DELETE
statements.
For additional flexibility in implementation, organizations can employ a userdefined function to determine the policy condition, and identify a relevant column
for auditing (“audit column”). For example, the function could allow unaudited
access to any salary as long as the user is accessing data within the intranet, but audit
access to executive-level salaries when they are accessed from the Internet. An
Oracle Database 10g Release 2 Security
Page 22
audit column helps reduce the instances of false or unnecessary audit records,
because the audit need only be triggered when a particular column is referenced in
the query. For example, an organization may only wish to audit executive salary
access when an employee name is accessed, because accessing salary information
alone is not meaningful unless an HR clerk also selects the corresponding employee
name.
Oracle captures the exact SQL text of the
statement the user executed in audit tables.
Oracle captures the exact SQL text of the statement the user executed in audit
tables. In conjunction with other database features such as Flashback Query, finegrained auditing can be used to recreate the exact records returned to a user. This
may be especially important to organizations who have especially sensitive
information they wish to share, for which they require strict accountability. For
example, many law enforcement organizations at the international, federal, state and
local level are increasingly becoming “e-businesses” by sharing information among
themselves, yet it is more important than ever that they audit access to sensitive
information, such as informant data, to know who accessed what exact data.
The event handler provides organizations with flexibility in determining how to
handle a triggering audit event. A triggering audit event could be written into a
special audit table for further analysis, or could activate a pager for the security
administrator. The event handler allows organizations to fine-tune their audit
response to appropriate levels of escalation.
Fine-grained auditing enables organizations to hone their auditing capabilities to
capture and identify particular, specific data access of concern. In addition to
providing more granular, targeted audit information, such as detecting misuse of
legitimate access, fine-grained auditing can also serve as an intrusion detection
facility for the Oracle Database 10g itself.
Enhanced Administrator Auditing
The Oracle database uses redo logs to record all changes made in the database.
Redo logs provide recovery from an instance or media failure. Oracle applies the
appropriate changes in the database’s redo log to the data files, which update
database data the instant that the failure occurred. The ability to capture all system
activities in logs, in fact, has security benefits as well. The activities of all users—
from the most privileged to the least—are captured in these logs.
Audit trails complement redo logs with their ability to hold users accountable for
any and all actions taken against the database. Because audit logs are stored in the
SYS schema, however, auditors who need to hold accountable users connected as
SYSDBA or SYSOPER have a bootstrap issue. Oracle further strengthens auditing
by specifically auditing users connected through SYSDBA and SYSOPER, and
recording the audit trail on the operating system. As long as the auditor has root
on the operating system, and the database administrator does not, customers can
separate the function of the database administrator and the auditor.
Oracle Database 10g Release 2 Security
Page 23
This auditing feature benefits e-business customers in multiple ways. It facilitates
the ability to track SYS operations and investigate suspicious activities, which is
especially important because this user has numerous privileges. It enables ebusinesses with strict auditing requirements, particularly banks and other financial
services companies, to separate the function of the database administrator from the
auditor.
Auditing For Three-Tier Applications
Many three-tier applications authenticate users to the middle tier, then the
transaction processing monitor or application server connects as super-privileged
user, and does all activity on behalf of all users. With Oracle, customers are not
only able to preserve the identity of the real client over the middle tier and enforce
“least privilege” through a middle tier, but can also audit actions taken on behalf of
the user by the middle tier. Oracle’s audit records capture both the logged-in user
(e.g., the middle tier) who initiated the connection, and the user on whose behalf an
action is taken. Auditing user activity, whether users are connected through a
middle tier or directly to the data server, enhances user accountability, and thus the
overall security of multi-tier systems.
ORACLE ADVANCED SECURITY
Oracle Advanced Security protects privacy and confidentiality of data over the
network by eliminating data sniffing, data loss, replay and person-in-the-middle
attacks. All communication with an Oracle Database can be encrypted with Oracle
Advanced Security. In addition, Oracle Advanced Security TDE encrypts data
inside the database. Databases contain extremely sensitive information and
restricting access by strong authentication is one of first lines of defense. Oracle
Advanced Security provides strong authentication solutions leveraging a business’s
existing security framework including Kerberos, Public Key Cryptography,
RADIUS and DCE for Oracle Database 10g.
Industry Standard Encryption and Data Integrity
Oracle Advanced Security protects all communications to and from the Oracle
Database. Businesses have a choice between using Oracle Advanced Security’s
native encryption/data integrity algorithms and SSL to protect data over the
network. Some of the typical scenarios requiring network level encryption include:
•
Database Server is a behind a firewall and users access the server via
client server applications
•
Communication between the application server in a DMZ and the
Database which is in behind a second firewall must be encrypted
Native Encryption and Data Integrity algorithms in Oracle Advanced Security
require no PKI deployment. With each subsequent release of the database, newer
encryption algorithms are included as they gain industry approval. The latest
addition is the Advanced Encryption Standard (AES), an algorithm improved in
Oracle Database 10g Release 2 Security
Page 24
security and performance over DES. The complete list of Encryption and Data
integrity algorithms are
•
AES (128, 192 and 256 Key)
•
RC4 (40, 56, 128, 256 Key)
•
3DES (2 Key and 3 Key)
•
MD5
•
SHA1
SSL based encryption is available for businesses that have elected to provide Public
Key Infrastructure to their IT deployments. New in the Oracle Advanced Security
10g release is the support for TLS 1.0 protocol. Oracle Advanced Security provides
AES cipher suites with the TLS 1.0 protocol in Oracle Database 10g.
Easy Configuration, No Changes to your Applications
Configuring the network parameters for the server and/or client enables the
network encryption/integrity function. Most businesses can therefore easily uptake
this technology as there are no changes required in the application.
Strong Authentication Services for Oracle Database 10g
Unauthorized access to information is a very old problem. Business decisions
today are driven by information gathered from mining terabytes of data. Protecting
sensitive information is key to a business’s ability to remain competitive. Access to
key data repositories such as the Oracle Database 10g that house valuable
information can be granted once users are identified and authenticated accurately.
Verifying user identity involves collecting more information than the usual
username and password. Oracle Advanced Security provides the ability for
businesses to leverage their existing security infrastructures such as Kerberos,
Public Key Infrastructure (PKI), RADIUS and Distributed Computing
Environment (DCE) for strong authentication services to the Oracle Database 10g.
New in this release is the ability to check X509v3 certificate revocations using
Certificate Revocation Lists stored in the file system, Oracle Internet Directory or
using CRL Distribution Points.
The ability for Oracle Database Servers or Database Clients /Users to use PKI
Credentials stored in Smart Cards or other Hardware Storage Modules using
industry’s PKCS 11 standard. This is especially useful for users as it provides
roaming access to the database via client server applications or web applications.
Storing server credentials in a hardware module provides an additional level of
security that some deployments require.
Oracle Database 10g Release 2 Security
Page 25
Closer Look At Kerberos Authentication for Directory Users
Kerberos integration for
enterprise users in Oracle 10g
eliminates the security versus
Usability debate. Kerberos
Authentication and SSL
communication require the
Oracle Database 10g Oracle
Advanced Security option
This feature is new in Oracle Database 10g Advanced Security. For organizations
that have shied away from Single Sign On with passwords, this feature provides
security with usability as shown in figure below. Once an Oracle database is
registered with a Kerberos Server and configured to support a Kerberos Service,
enterprise users can authenticate to the database without any additional
complications. Organizations that are already using a Kerberos Server and Oracle
Advanced Security’s Kerberos adapter can migrate their external database users to
the directory to benefit from centralized user management. User Migration Utility
assists in the migration task.
If the user is managed in a third party directory such as Active Directory, the
Directory Integration and Provisioning Service must synchronize, in addition to
other attributes, the user’s Kerberos Principal into Oracle Internet Directory.
Following is an illustration of this key benefit. In this scenario, a user is
provisioned by an HR application into an Active Directory Domain for instance.
The user is a member of a group in AD. The user along with his group
membership is synchronized into Oracle Internet Directory by the AD-OID
connector. When appropriate database roles are assigned to the OID group,
members within that group have access to the database objects.
Optional: Secure Single Sign
On and ease of use with
Kerberos
KDC
MIT v5 / MSKDC
Krb TGT
New employee
Provisioned in an
Active Directory
domain
Patient
Profile
Surgeon
Patient
Care
Oracle Database
Oracle Internet
Directory
Platform
Independent
External
Directory
AD-OID
Connector
Closer Look at RADIUS (Remote Dial-in User Service)
RADIUS (RFC #2138) is a distributed system that secures remote access to
network services and has long been established as an industry standard for remote
and controlled access to networks. RADIUS user credentials and access
information are defined in the RADIUS server to enable this external server to
perform authentication, authorization and accounting services when requested.
ORACLE RADIUS support is an implementation of the RADIUS Client protocols
that enables database to provide authentication, authorization and accounting for
Oracle Database 10g Release 2 Security
Page 26
RADIUS users. It sends authentication requests to RADIUS server and acts upon
the server’s responses. The authentication can occur either in synchronous or
asynchronous authentication modes and is part of Oracle configuration for
RADIUS support.
Oracle Advanced Security provides authentication, respects authorizations stored in
RADIUS and basic accounting services to RADIUS users when accessing the
Oracle database.
PKCS #12 Support
PKCS #12 support provides
interoperability with third-party
applications including
browsers.
Oracle Advanced Security supports X.509 certificates stored in PKCS #12
containers, making the Oracle wallet interoperable with third party applications like
Netscape Communicator 4.x and Microsoft Internet Explorer 5.x, and providing
wallet portability across operating systems. Users who have existing PKI
credentials may export them in PKCS#12 format and reuse them in Oracle Wallet
Manager, and vice versa. PKCS#12 thus increases interoperability and reduces the
cost of PKI deployment for organizations.
PKCS#11 Support, Smart Cards/Hardware Security Modules
Oracle Advanced Security supports the
PKCS#11 interface.
An Oracle Wallet is a software container that holds the private key and other trust
points of the certificate. Oracle Advanced Security supports the support PKCS#11
industry standard. This allows the private keys that were previously stored on the
file system to be created and stored in secure devices such as Hardware Security
Modules or Smart Cards that are available in the market. Oracle Advanced Security
10g Release 2 provides deeper integration with PKCS#11 enabling interoperability
with pre-provisioned certificates on hardware devices.
Industry Standards, Interoperable
Oracle Advanced Security’s SSL client can be used in any PKI that is industry
standards compliant. For instance, certificates issued by Verisign, Thawte, RSA
Keon and Oracle Certificate Authority can be used for authentication to Oracle
Database 10g as they accept standard PKCS#7 certificate requests and issue
X509v3 certificates. Oracle Advanced Security’s provides an Entrust adapter that
allows business applications to leverage Entrust’s PKI with Oracle Database 10g.
Oracle Advanced Security includes a Kerberos client is compatible with a Kerberos
v5 ticket that is issued by any MIT v5 compliant Kerberos server or Microsoft
KDC. Businesses can continue to operate in a heterogeneous environment using
Oracle Advanced Security’s Kerberos solution.
Oracle Advanced Security provides a RADIUS client that allows Oracle Database
10g to respect the authentication and authorizations asserted by a RADIUS server.
This feature is especially useful for businesses that are interested in two-factor
authentication that establishes your identity based on what you know (password or
PIN information) and what you have (the token card) provided by some token card
manufacturers.
Oracle Database 10g Release 2 Security
Page 27
Oracle Advanced Security has
supported SSL since Oracle Release
8i. New in Oracle Advanced
Security 10g is TLS1.0 support,
The new industry SSL protocol standard, TLS 1.0 is support with Oracle Advanced
Security 10g. While TLS 1.0 is based on SSL 3.0, the more tangible benefits for
Oracle users using TLS 1.0 are
•
Improved efficiencies for CPU intensive cryptographic operations
resulting in increased SSL based throughput
•
Improved TLS Handshake Protocol that provides increased privacy and
integrity for peer-to-peer communication
Smart Card support for Oracle
Wallets and URL and LDAP support
for certificate validation.
Oracle Wallet Manager continues to be the tool to use for certificate requests and
other certificate management tasks for the end user. Additional command line
utilities that assist in managing Certificate Revocation Lists (CRLs) and other
Oracle Wallet operations are also available in this release.
Certification Revocation Lists published to an LDAP server, a file system or a URL
are supported by Oracle’s SSL infrastructure.
A Closer Look At PKI
Public Key Infrastructure (PKI) encompasses technologies, policies and procedures
for authentication based on the principles of public key cryptography. Public Key
Infrastructure (PKI) has emerged as the authentication technology which is most
appropriate for securing Internet and e-commerce applications. There are a
number of reasons for this. First, PKI is highly scaleable. Since users maintain
their own certificates, and certificate authentication involves exchange of data
between client and server only (i.e., no third party authentication server needs to be
online), there is no limit to the number of users which can be supported using PKI.
Moreover, PKI allows delegated trust. A user who has obtained a certificate from a
recognized and trusted Certificate Authority (CA) can authenticate himself to a
server the very first time he connects to that server, without that user having
previously been registered with the system.
Oracle supports standard X.509v3 certificates and relevant Public Key Certificate
Standards (PKCS) for certificate request and installation. This allows users to
request certificates from any CA supporting these standards. It also allows users to
install trusted root certificates from their choice of CA's, allowing the server to
recognize and validate certificates issued by those CA's.
Oracle Database 10g Release 2 Security
Page 28
Oracle Database 10g Release 1 expanded PKI integration and interoperability
through:
•
PKCS#11 support
•
Wallet storage in Oracle Internet Directory
•
Multiple certificates per wallet
•
Strong wallet encryption
Wallets Stored in Oracle Internet Directory
Oracle Enterprise Security Manager creates user wallets as part of the user
enrollment process. The wallet is stored in Oracle Internet Directory, or other
LDAP-compliant directory. Oracle Wallet Manager can upload wallets to—and
retrieve them from—the LDAP directory.
Storing the wallet in a
centralized LDAP-compliant
directory lets users access
them from multiple locations.
Storing the wallet in a centralized LDAP-compliant directory supports user
roaming, allowing users to access their credentials from multiple locations or
devices, ensuring consistent and reliable user authentication, while providing
centralized wallet management throughout the wallet life cycle.
Multiple Certificate Support
Oracle Wallets support multiple certificates per wallet, including:
S/MIME signing certificate
S/MIME encryption certificate
Code-signing certificate
Oracle Wallet Manager Version 3.0 supports multiple certificates for a single digital
entity in a persona—with multiple private key pairs in a persona (each private key
can match only one certificate). This enables consolidation of and more secure
management of users’ PKI credentials.
Strong Wallet Encryption
The private keys associated with X.509 certificates require strong encryption, over
secure channels. Oracle replaces DES encryption with 3-key triple DES (3DES),
which is a substantially stronger encryption algorithm and provides strong security
for Oracle wallets.
SSL
Oracle implements the SSL protocol for encryption of data exchanged between
database clients and the database. This includes data in Oracle Net Services
(formerly known as Net8), LDAP, thick JDBC, and IIOP format. SSL encryption
provides users with an alternative to the native Oracle Net Services encryption
protocol which has been supported in Oracle Advanced Security (formerly known
as Advanced Networking Option) since Oracle7. A benefit of SSL is that it is a de
Oracle Database 10g Release 2 Security
Page 29
facto Internet standard, and can be used with clients using protocols other than
Oracle Net Services.
In a three-tier system, SSL support in the database means that data exchanged
between the middle tier and the database can be encrypted using SSL. The SSL
protocol has gained confidence of users, and it is perhaps the most widely-deployed
and well-understood encryption protocol in use today. Oracle’s implementation of
SSL supports the three standard modes of authentication, including anonymous
(Diffie-Hellman), server-only authentication using X.509 certificates, and mutual
(client-server) authentication with X.509.
Oracle Application Server also supports SSL encryption between thin clients and
the Oracle Application Server, as well as between Oracle Application Server and
Oracle Data Server. As in Oracle, anonymous, server-only, and client-server
authentication via X.509 are supported.
SSL addresses the problem of protecting user data exchanged between tiers in a
three-tier system. By providing strong, standards-based encryption, SSL provides
system developers and users with confidence that data will not be compromised in
the Internet. Note also that unlike password-based authentication, which
authenticates client to server only, SSL can authenticate server to client as well as
client to server. This is a useful feature when building a web-based three-tier
system, since users often insist on authenticating the identity of a web server before
they will provide the server with sensitive information, such as credit card numbers.
Java Security
Oracle8i was the first relational database to provide built-in support for Java,
reinforcing its position as the database platform of choice for Internet developers.
The security model in Oracle8i is that of JDK 1.1, which provided relatively coarsegrained access control. Oracle extends this security model to that of JDK 1.2,
which includes a fine-grained, policy-based access control model. This model is
more flexible and configurable than the previous Java security model, and is based
on a permission class hierarchy.
JDBC Security
JDBC is an industry-standard Java interface that provides a Java standard for
connecting to a relational database from a Java program. Sun Microsystems
defined the JDBC standard, and Oracle Corporation, as an individual provider,
implements and extends the standard with its own JDBC drivers. Oracle
implements two types of JDBC drivers: Thick JDBC drivers built on top of the Cbased Oracle Net Services client, and thin (pure Java) JDBC drivers to support
downloadable applets.
Since thick JDBC uses the full Oracle Net Services communications stack on both
client and server, it can take advantage of existing Oracle Advanced Security
encryption and authentication mechanisms. Because the thin JDBC driver is
Oracle Database 10g Release 2 Security
Page 30
designed for use with downloadable applets used over the Internet, Oracle includes
a 100% Java implementation of Oracle Advanced Security encryption and integrity
algorithms for use with thin clients. Oracle Advanced Security provides the
following features for thin JDBC:
•
Data encryption
•
Data integrity checking
•
Secure connections from thin JDBC clients to the Oracle Database 10g
•
Ability for developers to build applets that transmit data over a secure
communication channel
•
Secure connections from Oracle Database 10gs to older versions of Oracle
Advanced Security-enabled databases
Secure Connections for Virtually Any Client
Thick JDBC contains a
complete implementation of a
Oracle Net Services client in
pure Java.
On the server, the negotiation of algorithms and the generation of keys function
exactly the same as Oracle Advanced Security Net8 encryption, thus allowing
backward and forward compatibility of clients and servers. On the clients, the
algorithm negotiation and key generation occur in exactly the same manner as Cbased Oracle Advanced Security encryption. The client and server negotiate
encryption algorithms, generate random numbers, use Diffie-Hellman to exchange
session keys, and use the Oracle Password Protocol, in the same manner as
traditional Oracle Net Services clients. Thin JDBC contains a complete
implementation of a Oracle Net Services client in pure Java. Consistent with other
encryption implementations, the Java implementation of Oracle Advanced Security
prevents access to the cryptographic algorithms, makes it impossible to double
encrypt data, and encrypts data as it passes through the network. Users cannot alter
the keyspace nor alter the encryption algorithms themselves.
Use of the Secure JDBC Implementation
The Oracle Advanced Security Java implementation gives developers the ability to
build applets that transmit data over secure communication channels secured by
Oracle Advanced Security. For example, it provides secure connections from any
middle tier server with Java Server Pages (JSPs) to the Oracle Data Server and
secure connections from Oracle Database 10gs to older versions of Oracle
Advanced Security-enabled databases. This allows e-businesses deploying Oracle
and other components to securely transmit a variety of information over a variety
of channels.
Oracle Database 10g Release 2 Security
Page 31
SUMMARY
Just like previous versions of the Oracle Database, Oracle Database 10g Release 2
raises database security technology to a new level. Oracle's decade long
commitment to independent security evaluations, coupled with Oracle's 25 plus
years working with security conscious customers has enabled Oracle to establish
itself as the database security leader. Robust support for data encryption, row level
security, integrated identity management capabilities, fine-grained auditing, label
security, proxy authentication, PKI support, and virtual private database are just a
few of the technologies available with Oracle Database 10g Release 2. In addition,
the capabilities in the Oracle Database 10g Release 2 are ideally suited for meeting
the privacy and regulatory compliance challenges in today's global economy.
Oracle Database 10g Release 2 identity management integration capabilities provide
huge cost savings by dramatically reducing the complexity of managing application
users. Oracle is an ideal platform on which to build and deploy secure applications
for today's complex, Internet connected world.
Oracle Database 10g Release 2 Security
Page 32
Oracle Database 10g Release 2 Security
June 2005
Author: Paul Needham
Contributing Authors: [OPTIONAL]
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright © 2005, Oracle. All rights reserved.
This document is provided for information purposes only and the
contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any
other warranties or conditions, whether expressed orally or implied
in law, including implied warranties and conditions of merchantability
or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations
are formed either directly or indirectly by this document. This document
may not be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without our prior written permission.
Oracle, JD Edwards, and PeopleSoft are registered trademarks of
Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.
Download PDF
Similar pages