Databases Reference
In-Depth Information
Advanced Security Option
The Oracle Advanced Security Option (ASO) can be used in distributed environments
linked via Oracle Net in which there are concerns regarding secure access and trans‐
mission of data. This option specifically provides data encryption during transmission
to protect data from unauthorized viewing over Oracle Net, as well as Net/SSL, IIOP/
SSL, and between thin JDBC clients and the database. Encryption algorithms supported
include RC4_40, RC4_56, RC4_128, RC4_256, DES, DES_40, 3DES112, 3DES168,
AES128, AES192, and AES256. Communications packets are protected against data
modification, transaction replay, and removal through use of MD5 and SHA-1 algo‐
rithms. Network encryption is slated to be moved into Oracle Database 12
c
Enterprise
Edition.
Transparent Data Encryption (described in the next section) is included as part of the
Advanced Security Option beginning with Oracle Database 10
g
Release 2. Transparent
Data Encryption provides an easy way to encrypt data in the database, and the network
data encryption option of ASO protects the data during transmission to the client.
ASO also provides support for a variety of identity authentication methods to ensure
that user identities are accurately known. Third-party authentication services supported
include Kerberos, RADIUS, and DCE. RADIUS enables support of third-party authen‐
tication devices, including smart cards and token cards. Public Key Infrastructure (PKI)
authentication, popular for securing Internet-based e-commerce applications, uses X.
509 v3 digital certificates and can leverage Entrust Profiles stored in Oracle Wallets.
Oracle Database 10
g
added authentication capabilities for users who have Kerberos
credentials, and enables Kerberos-based authentication across database links. Strong
authentication methods are also being moved into Oracle Database 12
c
.
In a typical scenario, the Oracle Enterprise Security Manager configures valid applica‐
tion users to the LDAP-compliant OID server. An X.509 certificate authority creates
private key pairs and publishes them in Oracle Wallets (through Oracle Wallet Manager)
to the LDAP directory. A user who wants to log in to a database server will need a
certificate and a private key, which can be retrieved from that user's password-protected
wallet, which resides in the LDAP directory. When the user's key on the client device is
sent to the database server, it is matched with the paired key retrieved by the server via
SSL from the LDAP directory and the user is authenticated to use the database.
Oracle Database 12
c
includes a number of enhancements for the Advanced Security
Option, including the ability to manage keys more easily. In this release, the master key
for encryption is associated with a pluggable database, so you could potentially have
multiple master keys in a single container database.
