Database Reference
In-Depth Information
Table 15-1. DBMS_CRYPTO cryptographic hash functions in 12c (ref Oracle Docs)
Name
Description
HASH_MD4
Produces a 128-bit hash, or message digest of the input message
HASH_MD5
Also produces a 128-bit hash, but is more complex than MD4
HASH_SH1
Secure Hash Algorithm (SHA-1). Produces a 160-bit hash
HASH_SH256
SHA-2, produces a 256-bit hash
HASH_SH384
SHA-2, produces a 384-bit hash
HASH_SH512
SHA-2, produces a 512-bit hash
It is useful to have access to stronger checksums for sensitive objects, as MD5 checksums can be susceptible to
collisions, as documented here: http://www.doxpara.com/md5_someday.pdf .
Using stripwire ( http://www.doxpara.com/stripwire-1.1.tar.gz ) it is possible for an attacker to control
the content of a malicious collision. For very-high-security purposes it can be useful to check integrity using a
combination of algorithms.
For the purposes of regular and large state checks on multiple versions of databases in a situation where
the checksum record is under the control of the authority, a weaker and quicker utility like dbms_utility is an
appropriate choice as it is compatible with all versions of Oracle. In your own circumstances where collisions may be
an issue you may decide to increase the strength of the hashing algorithm and accept the decreased performance
of SHA-2.
Code in SYS or the SYSTEM schema can be checked holistically using the following process of selecting out all
the source code and metadata to create a checksum that can easily be compared over time:
1.
Schema-wide checksum of all SYS packages, procedures, and functions can be carried out
thusly:
SQL> SELECT AVG(dbms_utility.get_hash_value(text,1000000000,power(2,30))) FROM DBA_SOURCE
WHERE OWNER='SYS';
AVG(DBMS_UTILITY.GET_HASH_VALUE(TEXT,1000000000,POWER(2,30)))
————————————————————-
1564889684
2.
Other schemas where some types of objects have authorized changes of state may require
the checksum creation to be limited to specific object types. For example, a checksum of
triggers and views can be carried out with the following code and be compared to previous
states using relational operators. Note the use of base tables to avoid dependency on view
code, which might be backdoored.
create table PACKAGESTATESORAGOL2(OWNERIN VARCHAR2(30),USER$NAME VARCHAR2(30),OBJ$OWNER
VARCHAR2(30),
NAMEIN VARCHAR2(30),
SOURCE$OBJID NUMBER,
OBJ$TYPE VARCHAR2(30),
COUNTOUT NUMBER,
CTIMEOUT TIMESTAMP,
STIMEOUT TIMESTAMP,
LASTDDLOUT TIMESTAMP,
HASH NUMBER);
 
 
Search WWH ::




Custom Search