Oracle and Encryption

OFM wrote:

I am running an oracle database with the application written in PHP.

I would like to be able to have the option to encrypt data residing in
certain columns in certain tables i.e. encrypt the SSNO column but not
the Fname column. I would like to keep it in its encrypted form in the
database but I would like to be able to show it to certain privileged
people based on a password.

Can public key encryption be incorporated here in the php application
such that if I can encrypt the data based on a key that in it self can
be encrypted in a way that you can revoke certain passwords if the
employee leaves - much that same way you have revocation lists
management in PGP.

Are there any suggestions on how to go about incorporating FLEXIBLE
encryption of data with PHP and Oracle?

You need a lot of help with this - I think you need to re-examine your
problems here. Do you really not trust the PHP code? If not how are you
going to securely supply decryption tokens to your running code? Where will
the users private keys reside? Do you really want public key encryption or
are you looking for shared keys? Can you afford the performance overhead of
per-attribute public key encryption?

If you are working some where that actually needs Oracle and this kind of
security, then really the people you work for should be able to rent a
consultant for a few days to work on this. But by the sound of things
you've not even got clear objectives of what you are trying to achieve.

C.

On Sat, 07 Oct 2006 17:14:58 -0400, OFM wrote:

I am running an oracle database with the application written in PHP.

I would like to be able to have the option to encrypt data residing in
certain columns in certain tables i.e. encrypt the SSNO column but not
the Fname column. I would like to keep it in its encrypted form in the
database but I would like to be able to show it to certain privileged
people based on a password.

Can public key encryption be incorporated here in the php application
such that if I can encrypt the data based on a key that in it self can
be encrypted in a way that you can revoke certain passwords if the
employee leaves - much that same way you have revocation lists
management in PGP.

Are there any suggestions on how to go about incorporating FLEXIBLE
encryption of data with PHP and Oracle?

Any help appreciated.

Oracle has something called "Advanced Security Option" which is a
commercial product and allows encryption of the entire database or parts
of it. There is also something called "VPD" (Virtual Private Database)
which allows users to see only the parts of the database they're entitled
to see. It takes a bit to set up, but it works really well. As for
revoking employee authorization once the employment is terminated, it
should be a standard practice. HR should have an application that would
disable VPN logins and logins to web visible applications and high
priority tickets to immediately revoke all access privileges should be
assigned to both system administration group and DBA group. Security is
not a part of an application, security is a philosophy that the company
must adhere to in everything it does.

--
http://www.mladen-gogala.com

Try DBMS_OBFUSCATION package for encryption and decryption.

You may see this link to know more about security.

VPD and there is another thing called OLS.

Both are explained well
http://free-advisory.com/forums/orac...num=1159027877

Regards,
Mladen Gogala wrote:

On Sat, 07 Oct 2006 17:14:58 -0400, OFM wrote:

I am running an oracle database with the application written in PHP.

I would like to be able to have the option to encrypt data residing in
certain columns in certain tables i.e. encrypt the SSNO column but not
the Fname column. I would like to keep it in its encrypted form in the
database but I would like to be able to show it to certain privileged
people based on a password.

Can public key encryption be incorporated here in the php application
such that if I can encrypt the data based on a key that in it self can
be encrypted in a way that you can revoke certain passwords if the
employee leaves - much that same way you have revocation lists
management in PGP.

Are there any suggestions on how to go about incorporating FLEXIBLE
encryption of data with PHP and Oracle?

Any help appreciated.

Oracle has something called "Advanced Security Option" which is a
commercial product and allows encryption of the entire database or parts
of it. There is also something called "VPD" (Virtual Private Database)
which allows users to see only the parts of the database they're entitled
to see. It takes a bit to set up, but it works really well. As for
revoking employee authorization once the employment is terminated, it
should be a standard practice. HR should have an application that would
disable VPN logins and logins to web visible applications and high
priority tickets to immediately revoke all access privileges should be
assigned to both system administration group and DBA group. Security is
not a part of an application, security is a philosophy that the company
must adhere to in everything it does.

--
http://www.mladen-gogala.com

On Mon, 09 Oct 2006 02:19:08 -0700, z@hid wrote:

Try DBMS_OBFUSCATION package for encryption and decryption.

You may see this link to know more about security.

VPD and there is another thing called OLS.

Oracle Label Security, which used to be known as "Trusted Oracle" is, to
my knowledge, not generally available. DBMS_OBFUSCATION was renamed to
DBMS_OBFUSCATION_TOOLKIT and it is a simple package which allows you
encrypt and decrypt things using DES and DES3 (aka "triple DES")
encryption. It doesn't say anything about the keys. As far as obfuscation
toolkit is concerned, one can have the key written on a sticky and
attached to his screen. I even saw that once.
DBMS_OBFUSCATION_TOOLKIT is not a security solution, nor was it ever
intended to be one.

--
http://www.mladen-gogala.com

If running on 10gR2, TDE (transparent data encryption) is the way to go.

http://www.oracle.com/technology/dep...ion/index.html

Pedro
Mladen Gogala wrote:

On Mon, 09 Oct 2006 02:19:08 -0700, z@hid wrote:

>Try DBMS_OBFUSCATION package for encryption and decryption.

You may see this link to know more about security.

VPD and there is another thing called OLS.

Oracle Label Security, which used to be known as "Trusted Oracle" is, to
my knowledge, not generally available. DBMS_OBFUSCATION was renamed to
DBMS_OBFUSCATION_TOOLKIT and it is a simple package which allows you
encrypt and decrypt things using DES and DES3 (aka "triple DES")
encryption. It doesn't say anything about the keys. As far as obfuscation
toolkit is concerned, one can have the key written on a sticky and
attached to his screen. I even saw that once.
DBMS_OBFUSCATION_TOOLKIT is not a security solution, nor was it ever
intended to be one.