Extract(Read) > Transform(Test&Apply) > Load(Learn) Blog

August 24, 2008

The Rijndael(Advanced Encryption Standard-AES) algorithm to secure TBs of data

Filed under: Oracle How To,Oracle Security — H.Tonguç Yılmaz @ 10:28 am

The Need Definition –

There are some TBs of your Call Data Records(CDR) to be shared with an external company. Some of the columns in this dataset must be encrypted and this encryption method must guarantee that this columns only can be decrypted by you, the company who owns the data.

The Solution Advised –

After 10g we have DBMS_CRYPTO supplied package and inside this package there is the Rijndael(AES) algorithm which was selected by NIST in October 2000 to become the new official Advanced Encryption Standard(AES) for use within the US Government.

AES is available in two strengths; 128 and 256 bits, and of course the 256-bit version is approximately %50 slower than the 128-bit version, so for the optimum encryption performance 128 bit strength will be enough for this need since to break AES128 encryption one will need 2 ^ 100 amount of keys which will mean months of time even with a super-computer.

And why to do this inside the database but not with a custom C program on operating system for example, the answer is simple as usual; you have the PARALLEL QUERY, HASH JOIN, PARTITIONING, COMPRESSION type of VLDB options already available inside the database you paid for so for the other path you will most probably be re-inventing a dumper wheel within more time and this wheel will born with its maintanance costs on long-term.

A Simple Demostration based on the 10g EM Data Encryption Wizard –

AES128 demo with DBMS_CRYPTO

Some additional reading and references –

Advanced Encryption Standard

Encrypt Your Data Assets By Arup Nanda

How To Encrypt Data in Oracle Using PHP by Larry Ullman

Protect from Prying Eyes: Encryption in Oracle 10g by Arup Nanda

1 Comment »

  1. If you really don’t have CPU time and space constrainst, It is obvious that you will better load the data to DB and do it with DBMS_CRYPTO package. But, you will not have to re-invent the wheel and implement encryption algorithm in C from the beginning. There are plenty of source codes or libraries available. Even you can find available executables to encrpyt-decrypt a given file.

    Another idea is, you can simply do this with a compression/archival application like RAR, that can both compress the data and encrypyt it as well. (For example, RAR uses 128-bit AES, you may find other compression formats with different encryption scheme options). Or maybe you can first compress the data, then encrpyt, with different applications, and you can easily write a script and automate this process if you need. So, you really don’t have to write a line of code.

    Comment by Bilal Hatipoglu — August 25, 2008 @ 9:34 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: