| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Where to keep encryption key , DB?
Hi
If you store the key in the PL/SQL code even if its wrapped as sybrand suggests then i would suggest that you break it up for extra security and rebuild it prior to use ie obfusticate the key as well. Also use the 3DES of the DBMS_OBFUSCATION_TOOLKIT package as the other option DES is known to be weak. Your other option is to use a public algorithm rather than DES and use a 'C' library function to do the encryption and call it as an external proc.
HTH
Pete Finnigan
www.pentest-limited.com
In article <tsen1d3g038n24_at_corp.supernews.com>, Sybrand Bakker
<postbus_at_sybrandb.demon.nl> writes
>
>"NetComrade" <andreyNSPAM_at_bookexchange.net> wrote in message
>news:3bc7405b.2778536704_at_news.globix.com...
>> We are planning to store credit card #'s in our database..
>>
>> We are looking into different options to encrypt CC #'s, one is to use
>> oracle's built in dbms_obfuscation_toolkit.
>>
>> The question is, where do we store the encryption key?
>>
>> I thought of creating a separate account in the db just to hold that
>> function, and just grant execute on it to a user that needs to execute
>> it, but not see the code of the function.. The thing is, if you grant
>> execute to userB, userB's all_source can see the source of the
>> function..
>>
>> How woud you do it? (or did you already)
>>
>> If we are to store the key in let's say some C code, that we'd have to
>> redploy our application each time we are changing the key..
>>
>> BTW, what are the general industry standards to change the key (how
>> often, etc, etc)
>>
>> Any help is greatly appreciated.
>> .......
>> We use Oracle 8.1.6-8.1.7 on Solaris 2.6, 2.7 boxes
>> Andrey Dmitriev eFax: (978) 383-5892 Daytime: (917) 750-3630
>> AOL: NetComrade ICQ: 11340726 remove NSPAM to email
>
>Oracle has a wrap utility which allows you to store the code compiled and
>encrypted instead of plain ascii text. Most of Oracle's own code is supplied
>this way.
>Concern dismissed.
>
>Regards,
>
>Sybrand Bakker
>Senior Oracle DBA
>
>
>
-- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan_at_pentest-limited.com www.pentest-limited.comReceived on Mon Oct 15 2001 - 05:10:43 CDT
 |
 |