SAN FRANCISCO - The standard encryption mechanism used by Oracle's database products can be easily circumvented, according
to a German security researcher who last week published details on a number of unpatched security
Security expert Alexander Kornbrust plans to give a presentation at the Black Hat USA 2005 security conference this week showing
how Oracle's encryption can be broken. The encryption features that come standard with Oracle's database, called DBMS Crypto
and DBMS Obfuscation Toolkit, can be circumvented, he said in an interview.
"A lot of people think that if they use this DBMS Crypto, a hacker is not able to decrypt the data, but I found a way to get
the keys," said Kornbrust, a business director at Red-Database-Security GmbH, in Neunkirchen, Germany.
This could result in a nasty surprise for customers who believe they are protecting their data from attackers via Oracle's
standard encryption mechanisms, he added. "If a hacker breaks into your database, he's able to retrieve all of the sensitive
information like credit card numbers."
The problem lies with the design of Oracle's encryption mechanism and the fact that it stores unencrypted numbers, called
keys, in a way that they can be seen by an attacker and then used to read sensitive data.
Oracle Director of Product Management Paul Needham acknowledged that, for many Oracle installations, getting access to these
encryption keys could happen if an attacker gained access to a privileged "DBA" (database administrator) account on the server.
"Most of the customers would store the encryption key in a table in the database. To the extent that you have a DBA [account]
that can see the tables, you can just read the tables and find the encryption key."
The encryption software does provide a way of protecting sensitive data on storage media like backup tapes, and it can be
used to bring users into compliance with government regulations, Needham said, adding that his company does not recommend
relying on encryption alone as a method of securing data. "Encryption should not be considered an access control solution,"
he said.
Oracle customers who read the documentation for the company's 10g database might be led to think otherwise, however. In the
event that an attacker gains access to the database, "encryption of stored data can... be an important tool in limiting information
loss," Oracle's documentation states.
Customers who think they are preventing attackers, or even curious database administrators from gaining access to sensitive
data by using Oracle's standard encryption features are mistaken, Kornbrust said.
In fact, Oracle sells another encryption product for its database that Kornbrust says is designed in a much more secure fashion.
For $10,000 per processor, customers can purchase Oracle's Advanced Security software, which includes a feature called Transparent
Data Encryption (TDE). TDE uses a second encryption key that is stored in an "Oracle wallet" file outside of the database,
and is therefore much harder to crack, according to Needham. "If you got access to the key in the database, you still couldn't
decrypt the data, unless you got access to the other key as well," he said.
This is not the first time that Kornbrust, a former Oracle employee whose company provides Oracle security consulting services,
has pointed out the failings in Oracle's products. Last week his company published details on six unpatched security vulnerabilities
in Oracle's products, claiming that Oracle had not patched them in the two years since it had been first been made aware of
the bugs.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
