slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Database Encryption PowerPoint Presentation
Download Presentation
Database Encryption

Loading in 2 Seconds...

play fullscreen
1 / 19

Database Encryption - PowerPoint PPT Presentation

  • Uploaded on

Database Encryption Encryption: overview Encrypting Data-in-transit As it is transmitted between client-server Encrypting Data-at-rest Storing data in the database as encrypted

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Database Encryption

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
encryption overview
Encryption: overview
  • Encrypting Data-in-transit

As it is transmitted between client-server

  • Encrypting Data-at-rest

Storing data in the database as encrypted

Encrypting of Data is another layer of security (security in depth). It does not substitute other DB security techniques such as strong password.

encrypting data in transit
Encrypting Data-in-transit

For a Hacker to eavesdrop on a conversation and steal data, two things may occur

1) Physically tap into the communications between

the db client & the db server

2) Hacker must understand the communication stream in order to extract sensitive data.

In order to do this, what does the Hacker need ?

tools for packet sniffing
Tools for packet sniffing

the Hacker needs to have

  • With a minimum understanding of TCP/IP +
  • Use one of many network protocol analyzer that are freely available.
  • Packet (formatted block of data transmitted by a Network).
  • Sniffing: capturing and analyzing package

(like dog sniffing).

minimum understanding of tcp ip
Minimum Understanding of TCP/IP
  • Network Security book.


Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg, Network Security; The Complete Reference.

  • TCP/IP is well documented all over the web.
  • Documentation describes the headers of the packet.
where to run network analyzer packet
Where to run Network Analyzer Packet ?
  • Client Machine that has access to the Database server
  • Database Server
network protocol analyzer examples
Network Protocol Analyzer: examples
  • Tcpdump: utility available as part of installation on most UNIX systems. Can be downloaded from
  • (windump). Windows counterpart. Available on some systems. Can be downloaded from
  • Wireshark(

world’s most famous NP Analyzer. Formerly Ethereal (

implement encryption data in transit
Implement Encryption,data-in-transit

Fortunately there are also many encryption techniques for data in transit:

  • Database-specific features such as Oracle Advanced Security
  • Connection-based metods (such as SSL)
  • Secure tunnels (such as SSH)
  • Relying on the operating Systems (IPSec Encryption)
  • Oracle Advanced Security (previously Advanced Network Option), contains network encryption tools. Depending on the version of Oracle, it is available for no extra cost. It is for the enterprise edition.
  • Best literature for OAS is Oracle Security Handbook by Marlene Theriault and Aaron Newman, McGraw-Hill.
secure socket layer ssl
Secure Socket Layer (SSL)
  • cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.
  • You may enable SSL from within a DBMS.
  • SQL-Server for example: Programs -> Microsoft SQL Server -> Server Network Utility, check the Force protocol Encryption checkbox. Then Stop and start SQL Server.
  • Server also must be informed how it will derive encryption keys
  • Note: make sure that your version of SSL is compatible with your version of MySQL (like in ODBC or JDBC).
ssh tunnels
SSH Tunnels
  • SSH used in many applications. Example: Substitute for FTP with encryption.
  • From most DBMSs, you can set up SSH tunnels to encrypt database traffic by port forwarding (Encrypted session between client and server).
  • Example: to connect Linux client machine of IP CCC.CCC.C.CCC to a MySQL instance installed on a server with IP address of SSS.SSS.S.SS listening in on port 3306 (default MySQL port).
  • Ssh –L 1000:localhost:3306 SSS.SSS.S.SS –l mylogin –I ~/ .ssh id –N -g
  • -L=port forwarding, Any connection attempted on port 1000 on the local machine should be forwarded to port 3306 on the server. Therefore any connection on port 1000 will go through encryption.
  • Another Infrastructure option that protects the DB with encryption tools.
  • IPSec is done by the OS so you need to encrypt all communications (can’t be selective).
  • It operates at layer 3 of the OSI network (lower level).

Installing IPSec on Windows/XP

  • install IP Security Policy manager. Then from Control Panel -> Administrative Tools, select IPSec
encrypting data at rest
Encrypting Data-at-rest
  • There are two reasons to do this
    • Protect it from DBAs.
    • Protect from File or Disk Theft.
encrypting data at rest14
Encrypting Data-at-rest
  • Encrypting at Application Layer

Must do it at multiple locations from within app.

Data can only be used from within application

  • Encrypting at File System/Operating System Layer

less flexible. Requires you to encrypt everything.

Performance degrades

Weak for handling Disk Theft problem.

  • Encrypting within Database
    • Usually, most practical option
encrypting at application layer
Encrypting at Application Layer
  • Application Developers use a cryptographic library to encrypt such as Java Cryptographic Extensions (JCE) – set of APIs in the and java.crypto packages
encryption at os layer
Encryption at OS layer
  • Windows implements the Encrypted File System (EFS) and you can use it for MS-SQL Server.
  • Disadvantages ?
encryption within database
Encryption within Database
  • SQL Server 2005 you can access Windows

CryptoAPI through DB_ENCRYPT and DB_DECRYPT within T-SQL (similar to PL/SQL)

Can use DES, Triple DES and AES

(symmetric keys)

  • In ORACLE, you can access
    • DBMS_OBFUSCATION_TOOLKIT package that implements DES and Triple DES
  • DB Encryption can be divided into Data-in-transit and Data-at-rest
  • Encryption is useful as a last layer of defense (defense in depth). Should never be used as an alternative solution
  • Encryption should be used only when needed
  • Key Management is Key
end of lecture
End of Lecture