Author |
Topic: Alexander Kornbrust - Black Hat 2005 Presentation (Read 10852 times) |
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Alexander Kornbrust - Black Hat 2005 Presentation
« on: Jul 27th, 2005, 7:51am » |
Quote | Modify
|
What do you think about the latest info coming from Alex Kornbrust. It seems that there is no safe way to keep the data inside the database secured. Is there someone who attend this Black Hat presentation and who could write in the forum more details about Alex's findings. URL from the news: Oracle's encryption not secure, researcher says The best encryption that DBMS_OBFUSCATION_TOOLKIT offers is 192-bit encryption by using Triple DES (3DES) algorithm in Oracle9i. I don't know how this is changed in 10g but it seems that it doesn't matter because anyway, everyone who have an DBA account could decrypt the data. Is the Transparent Data Encryption (coming with 10g) the only preferable way to keep the data secure, especially when there is requirement that is coming from "security company standards". For example, I know that for all companies that are working with Visa, there is a requirement for at least 256-bit or 512-bit (I am not sure) encryption key that they must used. I just want to initiate some discussion about this subject - "How to keep our data secured within an Oracle database by using encryption"
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #1 on: Jul 27th, 2005, 2:33pm » |
Quote | Modify
|
Hi Rado, Thanks for your post about Alex's talk at Black Hat in Las Vegas. I have seen the text for his talk and was also aware of the news article you mention but I don't think I can talk about specific details here yet as I don't know if it has been given yet or whether the talk notes would be made public. I am reasonably sure Alex will publish them on his own site Red Database Security when he gets back. That said we can still discuss the general issue. I want to make two points really for now. The first is that the underlying problem with Oracle's DBMS_OBFUSCATION_TOOLKIT and DBMS_CRYPTO packages is not the algorithms themselves but the issue of key management. This is an issue to which Alex alludes in his talk. There are other issues as well. The second issue is that at present TDE in 10gR2 doesn't on the surface look any more secure that the previous methods employed by Oracle. A number of bugs have already been found in TDE that allows the keys to become known easily.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #2 on: Jul 27th, 2005, 3:24pm » |
Quote | Modify
|
Hi, Pete Thank you for your reply. Oracle are doing many efforts for improving the database security but for now there are so many bugs and findings that are discovered very frequently. The last thing - "patch for the security patch" doesn't sounds well. I am supporting the idea for opening of this kind of forum - related mainly to Oracle security and I hope that it will become very popular.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #3 on: Jul 27th, 2005, 4:42pm » |
Quote | Modify
|
Hi Rado, Thanks for your reply. Yes you are right at the moment there are a lot of issues with bugs, patches that need to be patched, silent fixes, advisories released for unfixed bugs and of course the fact that a lot of bugs are still not fixed (those reported on sites such as Red Database Security and Argeniss)but we should not forget that Oracle have made some great strides forward with new functionality (TDE, OS audit as xml, FGA and RLS...) in recent years and also they have improved their patch process a bit - at least on the documentation side - there needs to be work done on getting fixes done quicker and also on their recent problems of patches for patches, quality and testing. But it is better than random security advisories we had before that no one knew when to expect that included much less details.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #10 on: Aug 4th, 2005, 6:34pm » |
Quote | Modify
|
Hello here a short summary of my presentation. Interception of encryption keys is easy if a hacker (or DBA) installs a special package which intercepts all parameters and pass the parameter to the original package. DBA permission is not always required. 1. Install a dbms_crypto package with the same specification as the original dbms_crypto. Sample see dbms_crypto_fake.sql 2. Create a private synonym or modify the public synonym. That's all. You find all encryption keys in the log file of your web server. It is possible to mitigate the risk (a little bit) by * using full qualified names (e.g. SYS.DBMS_CRYPTO) Regards Alex
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #12 on: Aug 6th, 2005, 2:59pm » |
Quote | Modify
|
Josh, Most people believe that the product documentation or specialised books are saying the truth. DBMS_CRYPTO/DBMS_OBFUCSATION_TOOLKIT is nearly useless in the current architecture. This has also side effects to the Oracle product stack. Oracle itself is not able to store the passwords/data in a secure manner. That is probably the reason why Oracle itself is using dbms_crypto/dbms_otk very rarely. I know only 4 components (ultrasearch, MGW, DM and Grid Control) in the database which are using dbms_crypto/otk. Regards Alex
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
|