RE: encryption - peoplesoft 8 - oracle ??

How will you protect the encryption key?  

There is one thing that most people seem to miss about the DBMS_OBFUSCATION_TOOLKIT and that is, it DOES NOT provide key management.  

Having access to the encryption and decryption routines is only half the story. What use is encrypting credit card numbers when you cannot securely store the key used in the encryption.  

Off the top of my head any key management solution should have at a minimum: - no one person should know the complete key - key needs to be separated into components
- the key should not exist in the clear outside of a HSM (Hardware Security Module)  

Cheers,
Craig.  

-----Original Message-----

[mailto:Mohammed.Ahsanuddin_at_VerizonWireless.com] Sent: Tuesday, 25 February 2003 2:34 AM
To: Multiple recipients of list ORACLE-L

Has anyone used data encryption/decryption with peoplesoft8 HR application with oracle backend? Any hints will be appreciated..  

Thanks
Mohammed Ahsanuddin
Oracle DBA
-----Original Message-----

Sent: Friday, February 21, 2003 4:28 PM
To: Multiple recipients of list ORACLE-L

it would be safer to encrypt the credit card number at the application level, and insert that string into the database, because anyone with a decent sniffer would be able to pick it out of the SQL*Net code. Whether or not they even have access to the database.  

-----Original Message-----

Sent: Friday, February 21, 2003 12:40 PM To: Multiple recipients of list ORACLE-L

Besides the DBMS_OBFUSCATION_TOOLKIT, Application Security Inc also has a product to encrypt data in the database. Check out their web site www.appsecinc.com.

-----Original Message-----

[mailto:Mohammed.Ahsanuddin_at_VerizonWireless.com] Sent: Friday, February 21, 2003 3:25 PM
To: Multiple recipients of list ORACLE-L

We have been looking at a similar requirement..so far it seems if you want to use oracle's encryption (DBMS_OBFUSCATION_TOOLKIT) tool kit encryption has to be done in code and passed to the database and vice versa.  

There is a product called secure.data for oracle database from protegrity which claims to be application transparent..I have not worked with that but it is an option.  

Thanks
Mohammed Ahsanuddin
Oracle DBA
-----Original Message-----

Sent: Friday, February 21, 2003 2:06 PM
To: Multiple recipients of list ORACLE-L

I've been asked to find out a way to encrypt credit card numbers and store that encrypted string in the database. ...any oracle functions or functionality to do this? ....or would we have to encrypt the numbers in the application and then pass that string to the database?

We don't want anyone to be able to get to the numbers even if they have access to the table in which it is stored.

Thanks for any input
chris

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Craig Munday
  INET: Craig.Munday_at_ecard.com.au

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).