Since June 2013, Net Encryption is now licensed with Oracle Enterprise Edition and doesn't require Oracle Advanced Security Option.
Oracle Advanced Security provides the following features:
This page summarizes the tests done to encrypt the network traffic between an Oracle client and an Oracle database and check data integrity.
Complete documentation can be found in:
To setup the net encryption, several lines have to be added to the sqlnet.ora file both on the client and server sides.
On the client side, the following line was added:
SQLNET.ENCRYPTION_CLIENT=accepted
This line indicates to the server side that the client accepts secure net traffic if it requests for. This is the default value.
Other possible values are:
On the server side, the following lines were added (the other values are also possible):
SQLNET.ENCRYPTION_SERVER=required SQLNET.ENCRYPTION_TYPES_SERVER=<encryption algorithm>
Encryption status according to client and server parameter values is summarized in the following table (ORA-12660 is the error returned by Oracle in these cases):
Rejected | Accepted | Requested | Required | |
---|---|---|---|---|
Rejected | OFF | OFF | OFF | ORA-12660 |
Accepted | OFF | OFF | ON | ON |
Requested | OFF | ON | ON | ON |
Required | ORA-12660 | ON | ON | ON |
The tested encryption algorithms were (other ones are available, refer to the documentation above):
Note that a list of encryption algorithms can be given (and not just one) on each side and a negotiation occurs at connection time to determine which one will be taken (actually, the first common one in the lists). If no algorithm are provided, all available ones are taken by default.
To improve the strength of key generation the parameter SQLNET.CRYPTO_SEED can be added. It is set to 10 to 70 random characters, the more random the characters are and the lengther the string is, the stronger the keys are.
In this case, sqlnet.ora file is not read and taken into account; we have to set properties on the connection.
For example:
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver()); Properties props = new Properties(); props.put("oracle.net.encryption_client", "accepted"); props.put("oracle.net.encryption_types_client", "RC4_128"); props.put("user", "XXX"); props.put("password", "YYY"); Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@myhost:1521:mySID", props);
Oracle also allows to verify data integrity by adding a checksum using MD5 or SHA-1 algorithm. To setup this feature two lines have to be added to sqlnet.ora file both on the client and server sides.
On the client side:
SQLNET.CRYPTO_CHECKSUM_CLIENT = [ accepted | rejected | requested | required ] SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = <crypto_checksum_algorithms>
On the server side:
SQLNET.CRYPTO_CHECKSUM_SERVER = [ accepted | rejected | requested | required ] SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = <crypto_checksum_algorithms>
12.1 version introduced some SHA-2 algorithms.
The performances test (with release 10.2) consists in querying 100 times the DBA_OBJECTS view (select * from dba_objects) and collecting the overall elapsed time (about 220MB are exchanged on network). Tests are done on a loopback address to prevent counting real network times and on a totally idle server: tests are the only processes to run.
Each test is executed 3 times for each of the previously listed algorithms. The average elapsed response time from the client point of view is reported in the following table.
Algorithm | None | MD5 | SHA-1 | |||
---|---|---|---|---|---|---|
Time | %None | Time | %None | Time | %None | |
None | 79.6 s | 80.5 s | 101% | 82.4 s | 104% | |
DES | 104.7 s | 132% | 107.1 s | 135% | 108.2 s | 136% |
3DES168 | 151.8 s | 191% | 153.9 s | 193% | 155.6 s | 196% |
AES128 | 88.8 s | 112% | 90.5 s | 114% | 92.1 s | 116% |
AES256 | 91.8 s | 115% | 93.5 s | 117% | 94.2 s | 118% |
RC4_128 | 81.6 s | 103% | 82.5 s | 104% | 85.0 s | 107% |
RC4_256 | 81.7 s | 103% | 82.8 s | 104% | 85.0 s | 107% |
联系客服