The Encryption Wizard for Oracle
Database Encryption Features
The Encryption Wizard for Oracle is a database encryption tool designed exclusively for the Oracle RDBMS. The Encryption Wizard allows you to physically encrypt the data that resides within your database through an easy-to-use Java interface.
Tired of paying money for oracle security software with cludgy interfaces? Why spend money on an unfreindly front-end?
Take an exciting tour of the Encryption Wizard now. See what it looks like. No database encryption offering has a front-end as professional or easy-to-use as ours. No database encryption tool is as easy to install as the Encryption Wizard for Oracle. Automatically generated updateable views, restricted user lists, auditing tools, AES Encryption, and management style reports are the reasons why the Encryption Wizard for Oracle is the most sophisticated database obfuscation and encryption software on the market today.
Try our free full-featured download of the Encryption Wizard for Oracle today!
The Encryption Wizard for Oracle is the only database encryption software in existence that allows you to specify the encryption of data at the schema, table, or column levels.
Along with database encryption features, the Encryption Wizard ships with advanced security and auditing functions built on the foundation of dependable encryption techniques - an intuitive interface to Oracle's own certified and tested DBMS_Crypto and DBMS_Obfuscation_Tookit packages.
I. Encryption Types
The Encryption Wizard gives you five encryption methods that you can employ to protect your data:
1. Obfuscation – Obfuscation is not technically encryption. Obfuscation simply obscures and makes your data apparently useless. Advanced decryption techniques can break obfuscation, yet obfuscation makes casual data theft\ unlikely among threats inside or outside your organization unless sophisticated and time- consuming techniques are employed to break the obfuscation keys.
2. DES Encryption – DES Encryption is the certified encryption standard provided by the Oracle Corporation through their package DBMS_Obfuscation_Toolkit. The Encryption Wizard utilizes a 64 bit key to protect your data.
3. Triple DES Encryption – Triple DES Encryption (3DES) is a response to advanced techniques used to break standard DES encrypted data. With Triple DES, a data value is encrypted recursively using three 64-bit keys to insure an almost infinite number of key combinations. Currently the Encryption Wizard uses the Triple DES scheme:
C=Ek3(Dk2(Ek1(P)))
4. AES 128-bit Encryption - AES (Advanced Encryption Standard) encryption is available to Oracle 10g users through the new DBMS_Crypto toolkit. AES encryption is more secure than DES Encryption and we have tested it as 20% faster on small and medium-sized tables.
5. AES 256-bit Encryption - 256-bit AES encryption uses large 32 byte encryption keys. This encryption type also is called through Oracle's certified DBMS_Crypto toolkit and is only available to Oracle 10g users.
Both DES algorithms employ Cipher-Block Chaining (CBC).
The Encryption Wizard does not employee public key strategies to encrypt corporate data. Public keys are more ideal for E-Commerce, but less secure. Single-key encryption is the standard of the DBMS_Crypto and DBMS_Obfuscation_Toolkit packages supplied by the Oracle Corporation and utilized by the Encryption Wizard. The Encryption Wizard stores these single keys in the Oracle database using recursive Triple DES Encryption techniques. Encryption Keys can either be specified by the user or automatically generated by the Encryption Wizard.
II. Key Management
All key values are stored as 2048 bit raw variables within the Oracle RDBMS - the potential mathematical seed of the eventual key to be utilized. At runtime this key matrix is again Triple DES encrypted and cached in user memory. This allows for a hidden mutating key strategy for the Encryption Wizard's eventual sets of Triple DES 64 bit keys. Thus, the Encryption Wizard uses an algorithm to choose mutating 64 bit subsets of a 2048 bit key per encryption round. This key is Triple DES protected at runtime using Oracle's certified DBMS_Obfuscation_Toolkit.
All user-defined keys, or pass-phrases, are expanded to the 256 byte key value and obfuscated using Triple DES and then again obfuscated at runtime. Yet with a user-defined key, recovery is possible if the key is lost. This recovery can only be performed using the Encryption Wizard API. All keys exist in the database table encrypted_column. This table, along with encrypted_table, can and should be backed up using your favorite database backup tool.
Because the Encryption Wizard performs another Triple DES round on these stored keys at runtime, it is not necessary to encrypt the backup file - unless you want another level of protection.
The Encryption Wizard always generates one unique key per database column. This makes unauthorized decryption much more difficult for large data sets containing many columns. The Encryption Wizard also employs Cipher-Block Chaining (CBC) which improves encryption of larger character strings.
III. Supported Data Types
The Encryption Wizard for Oracle allows you to encrypt these basic types of data:
1. Character Data
Varchar2 and Character data types can be encrypted using any of the three above methods. The Encryption Wizard also now supports the Oracle NLS datatypes NCHAR and NVarchar2 mulit-byte character datatypes. If DES, AES-128 bit, or AES-256 bit encryption is utilized, the Encryption Wizard will modify the column lengths of your character column lengths upwards to the nearest multiple of 8, 16 or 32 bytes respectively.
2. Number and Date Data
Date and Number data can only be obfuscated.
3. Large Binary Objects, BLOB and CLOB data types.
Binary Large Objects are now supported with the Encryption Wizard release 5.0 for all Oracle 8i, 9i and 10g databases.
**The Encryption Wizard will not encrypt Primary, Unique, or Foreign Keys, nor does it encrypt columns with default values or condition constraints, aside from the popular “Not Null” constraint.
IV. Transparent Decrypted Views
To allow for applications to access physically encrypted data, the Encryption Wizard Administrator can optionally create decrypted views against any table with encrypted data. Decrypted views allow applications to seamlessly read and/or write to encrypted data objects.
This is accomplished through automatically generated transparent database triggers within each decrypted view. These decrypted views can be dynamically created and dropped at any time through the Encryption Wizard user interface.
The Encryption Wizard now offers bit-mapped function indexes to use in conjunction with Decrypted Views. These indexes are for large encrypted tables that require access by an encrypted column index for performance reasons.
V. Session Auditing
The Encryption Wizard also offers the administrator the ability to specify session auditing at the schema, table, or column level.
Session auditing, will record all distinct Encryption and Decryption (read/write) requests for all sessions. Session Auditing allows you to see who has had access to your encrypted data down to the Terminal ID and database column level.
The Encryption Wizard supplies you with management reports to trace audited activity against your encrypted table data.
VI. Restricted User Lists
A Restricted User List allows you to specify which users you wish to grant the ability to read and/or write encrypted data. You can specify user lists for a given schema, table, or column. If there is no user list specified, then a user's ability to access encrypted data is based on traditional Oracle grants.
Restricted User Lists allow you to block out any Oracle user from viewing your encrypted data, even a DBA user such as SYS. This is accomplished by using an optional Runtime Passoword that can be assigned to authorized users.
To thwart malicious DBA access to data, use Restricted User Lists in conjunction with the Administrative Password which is discussed below.
VII. Administrative Password
To prevent Database Administrators unauthorized access to the Encryption Wizard, the Encryption Wizard Administrator can set an optional password required to Encrypt and Decrypt data and use the Encryption Wizard interface.
Likewise, the Encryption Wizard administrator does not require DBA privileges to use the Encryption Wizard.
VIII. Data Consistency
The Encryption Wizard employs intelligent recovery operations if any encryption or decryption attempt fails.
The Encryption Wizard will self-diagnose any incomplete Encryption or Decryption operation and allow the administrator to simply continue the process or back out. This helps guard against serious data inconsistency due to partially completed operations that may occur because of an unexpected database event like a shutdown.
IX. Key Backup & Recovery for Disaster Continuity Planning
The Encryption Wizard allows users to backup encryption keys to a flat-file. These files may be password protected and cannot be used on any other database other than the Oracle database they were created from.
Password protected backups enhance the security of your key backup and recovery operations and reduce
chances of data-loss and down-time.
X. Table-Driven & Configurable Management Reports
The Encryption Wizard supports your encryption efforts with simple to use management reports. These reports allow you to view your overall encryption scheme and track or summarize specific auditing events.
All of the Encryption Wizard reports can be exported to HTML or PDF format for formal presentations. We have provided the source-code of these reports to allow for easy modifications to support individual reporting needs.