Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Doug talks again about ? and catpatch.sql"] [Next entry: "Radoslav Rusinov's Blog and mod_plsql passwords in clear text"]

Alex Kornbrusts Black Hat presentation on reverse engineering Oracles encryption packages

This entry is a little late as I have talked about other Black Hat presentations from Esteban and Cesar a couple of weeks ago. I planned to talk also about Alex Kornbusts presentation at the same time but did not get the chance. Alex's presentation was titled "Circumvent Oracle�s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms".

This is a superb presentation and goes into detail on how to easily circumvent the security of Oracles built-in encryption packages by stealing the keys or working out the algorithms used in key management. Alex starts with a detailed look at key management and the issues involved. He then talks about pl/sql wrapping and why it should be used and also shows that Oracle stopped describing it as encrypted PL/SQL in 10g and beyond and that in 10g wrapping simply makes getting at the original source difficult. Alex goes on to show how details can still be gleaned from wrapped code and how those details could be better protected. Alex then talks about how Oracle uses database encryption for 10g Grid Control password management and why this is insecure. He then talks about intercepting encryption package calls to steal the keys used with a lot of superb examples. The discussion then focuses on how to reverse engineer computed keys again showing detailed examples. Alex finishes off with some tips for designing database encryption solutions.

The presentation is also available from Alex's own site as "Circumvent Oracle�s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms". It is worth downloading this version as it has been updated substantially since the Black Hat presentation. It now includes quotes from various books and other sources as well as comments from Oracles director of product management Paul Needham.

There is also a thread on my Oracle Security Forum titled "Alexander Kornbrust - Black Hat 2005 Presentation" that discusses the presentation with some comments from Alex himself.