Database Encryption - PowerPoint PPT Presentation

Slide1 l.jpg
1 / 19

Database Encryption Encryption: overview Encrypting Data-in-transit As it is transmitted between client-server Encrypting Data-at-rest Storing data in the database as encrypted

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Database Encryption

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Slide1 l.jpg

Database Encryption

Encryption overview l.jpg

Encryption: overview

  • Encrypting Data-in-transit

    As it is transmitted between client-server

  • Encrypting Data-at-rest

    Storing data in the database as encrypted

    Encrypting of Data is another layer of security (security in depth). It does not substitute other DB security techniques such as strong password.

Encrypting data in transit l.jpg

Encrypting Data-in-transit

For a Hacker to eavesdrop on a conversation and steal data, two things may occur

1) Physically tap into the communications between

the db client & the db server

2) Hacker must understand the communication stream in order to extract sensitive data.

In order to do this, what does the Hacker need ?

Tools for packet sniffing l.jpg

Tools for packet sniffing

the Hacker needs to have

  • With a minimum understanding of TCP/IP +

  • Use one of many network protocol analyzer that are freely available.

  • Packet (formatted block of data transmitted by a Network).

  • Sniffing: capturing and analyzing package

    (like dog sniffing).

Minimum understanding of tcp ip l.jpg

Minimum Understanding of TCP/IP

  • Network Security book.


    Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg, Network Security; The Complete Reference.

  • TCP/IP is well documented all over the web.

  • Documentation describes the headers of the packet.

Where to run network analyzer packet l.jpg

Where to run Network Analyzer Packet ?

  • Client Machine that has access to the Database server

  • Database Server

Network protocol analyzer examples l.jpg

Network Protocol Analyzer: examples

  • Tcpdump: utility available as part of installation on most UNIX systems. Can be downloaded from

  • (windump). Windows counterpart. Available on some systems. Can be downloaded from

  • Wireshark(

    world’s most famous NP Analyzer. Formerly Ethereal (

Implement encryption data in transit l.jpg

Implement Encryption,data-in-transit

Fortunately there are also many encryption techniques for data in transit:

  • Database-specific features such as Oracle Advanced Security

  • Connection-based metods (such as SSL)

  • Secure tunnels (such as SSH)

  • Relying on the operating Systems (IPSec Encryption)

Slide9 l.jpg


  • Oracle Advanced Security (previously Advanced Network Option), contains network encryption tools. Depending on the version of Oracle, it is available for no extra cost. It is for the enterprise edition.

  • Best literature for OAS is Oracle Security Handbook by Marlene Theriault and Aaron Newman, McGraw-Hill.

Secure socket layer ssl l.jpg

Secure Socket Layer (SSL)

  • cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.

  • You may enable SSL from within a DBMS.

  • SQL-Server for example: Programs -> Microsoft SQL Server -> Server Network Utility, check the Force protocol Encryption checkbox. Then Stop and start SQL Server.

  • Server also must be informed how it will derive encryption keys

  • Note: make sure that your version of SSL is compatible with your version of MySQL (like in ODBC or JDBC).

Ssh tunnels l.jpg

SSH Tunnels

  • SSH used in many applications. Example: Substitute for FTP with encryption.

  • From most DBMSs, you can set up SSH tunnels to encrypt database traffic by port forwarding (Encrypted session between client and server).

  • Example: to connect Linux client machine of IP CCC.CCC.C.CCC to a MySQL instance installed on a server with IP address of SSS.SSS.S.SS listening in on port 3306 (default MySQL port).

  • Ssh –L 1000:localhost:3306 SSS.SSS.S.SS –l mylogin –I ~/ .ssh id –N -g

  • -L=port forwarding, Any connection attempted on port 1000 on the local machine should be forwarded to port 3306 on the server. Therefore any connection on port 1000 will go through encryption.

Ipsec l.jpg


  • Another Infrastructure option that protects the DB with encryption tools.

  • IPSec is done by the OS so you need to encrypt all communications (can’t be selective).

  • It operates at layer 3 of the OSI network (lower level).

    Installing IPSec on Windows/XP

  • install IP Security Policy manager. Then from Control Panel -> Administrative Tools, select IPSec

Encrypting data at rest l.jpg

Encrypting Data-at-rest

  • There are two reasons to do this

    • Protect it from DBAs.

    • Protect from File or Disk Theft.

Encrypting data at rest14 l.jpg

Encrypting Data-at-rest

  • Encrypting at Application Layer

    Must do it at multiple locations from within app.

    Data can only be used from within application

  • Encrypting at File System/Operating System Layer

    less flexible. Requires you to encrypt everything.

    Performance degrades

    Weak for handling Disk Theft problem.

  • Encrypting within Database

    • Usually, most practical option

Encrypting at application layer l.jpg

Encrypting at Application Layer

  • Application Developers use a cryptographic library to encrypt such as Java Cryptographic Extensions (JCE) – set of APIs in the and java.crypto packages

Encryption at os layer l.jpg

Encryption at OS layer

  • Windows implements the Encrypted File System (EFS) and you can use it for MS-SQL Server.

  • Disadvantages ?

Encryption within database l.jpg

Encryption within Database

  • SQL Server 2005 you can access Windows

    CryptoAPI through DB_ENCRYPT and DB_DECRYPT within T-SQL (similar to PL/SQL)

    Can use DES, Triple DES and AES

    (symmetric keys)

  • In ORACLE, you can access

    • DBMS_OBFUSCATION_TOOLKIT package that implements DES and Triple DES

Summary l.jpg


  • DB Encryption can be divided into Data-in-transit and Data-at-rest

  • Encryption is useful as a last layer of defense (defense in depth). Should never be used as an alternative solution

  • Encryption should be used only when needed

  • Key Management is Key

End of lecture l.jpg

End of Lecture





  • Login