The same concern is
true for information that needs to be sent securely over a network. The techniques I presented so
far in this chapter, including authentication, authorization, and auditing, ensure legitimate access
to data from a database user but do not prevent access to an operating system user that may have
access to the operating system files that compose the database itself.
Users can leverage one of two methods for data encryption: using the package DBMS_
CRYPTO, an Oracle Database 10g replacement for the package DBMS_OBFUSCATION_
TOOLKIT found in Oracle9i, and transparent data encryption, which stores encryption keys
globally and includes methods for encrypting entire tablespaces.
DBMS_CRYPTO Package
New to Oracle 10g, the package DBMS_CRYPTO replaces the DBMS_OBFUSCATION_TOOLKIT
and includes the Advanced Encryption Standard (AES) encryption algorithm, which replaces the
Data Encryption Standard (DES).
Procedures within DBMS_CRYPTO can generate private keys for you, or you can specify and
store the key yourself. In contrast to DBMS_OBFUSCATION_TOOLKIT, which could only encrypt
RAW or VARCHAR2 datatypes, DBMS_CRYPTO can encrypt BLOB and CLOB types.
Transparent Data Encryption
Transparent data encryption is a key-based access control system that relies on an external
module for enforcing authorization. Each table with encrypted columns has its own encryption
key, which in turn is encrypted by a master key created for the database and stored encrypted
within the database; the master key is not stored in the database itself.
Pages:
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560