Now compatible with Oracle 12c!
The Encryption Wizard for Oracle is a database encryption suite designed exclusively for the Oracle RDBMS. The Encryption Wizard allows you to physically encrypt data-at-rest, residing within your relational database through an easy-to-use Java interface.
The Encryption Wizard gives you five encryption methods that you can employ to protect your data:
Obfuscation is not technically encryption. Obfuscation simply obscures data-at-rest and makes your data apparently useless. Advanced decryption techniques can break obfuscation, yet obfuscation makes casual data theft unlikely from inside or outside your organization unless sophisticated and time-consuming cryptography techniques are employed to break the obfuscation keys.
Triple DES Encryption (DES3) is a response to advanced techniques used to break standard DES encrypted data. With Triple DES, a data value is encrypted recursively using three 64-bit keys to insure an almost infinite number of key combinations. Currently the Encryption Wizard uses the Triple DES alogirthm: C=Ek3(Dk2(Ek1(P))) . Both DES algorithms employ Cipher-Block Chaining (CBC).
AES 128-bit Encryption - AES (Advanced Encryption Standard) encryption is available for all Oracle 10g and 11g users through Oracle's stable DBMS_Crypto API that ships with PL/SQL. AES encryption is more secure than DES Encryption and we have tested it as 20% faster on small and medium-sized tables. GNU Crypto can now be loaded to seamlessly integrate AES cryptography with the Encryption Wizard.
AES 256-bit Encryption uses large 32 byte encryption keys and offers strong protection for highly secure data-at-rest. Used for high-security and compliance, such as PCI compliance, AES256 protection is applied by the Encryption Wizard through Oracle's certified and stable DBMS_Crypto package or the GNU Crypto java library.
Along with standard AES-256 encryption, the Encryption Wizard now offers Triple AES-256, an even more secure way to protect your Oracle data.
The Encyption Wizard stores encyrption keys as 2048 bit hash values within the Oracle RDBMS -- the potential mathematical seed of the eventual key to be utilized. At runtime this key matrix is again encrypted using AES256 and cached in user memory. This allows for a hidden mutating key strategy by which an algorithm picks subsets of the potential key. These subset keys are decrypted in the Oracle SGA based on user SQL requests for encrypted data.
The Encryption Wizard will generate one unique key per database column. Key values cannot be migrated from one Oracle database to another -- this makes unauthorized decryption much more difficult for large data sets containing many columns. The Encryption Wizard also employs Cipher-Block Chaining (CBC) which improves encryption of long character strings.
Version 7 of the Encryption Wizard also supports remote key storage on HSM (Hardware Security Modules) with a direct interface through the Oracle JVM to a hardware JCA key-store interface.
The Encryption Wizard supports the Varchar2 and Char Oracle data types with both DES and AES Encryption. Along with traditional character data, the Encryption Wizard also supports encryption for Oracle's Natural Language (NLS) datatypes NCHAR and NVarchar2. Null value encryption for character data is also supported.
Since DES and AES encryption does not support numeric datatypes, the Encryption Wizard offers obfuscation for Oracle Number and Decimal data. No other encryption tool supports the Oracle numeric type.
The Encryption Wizard is the only product that offers direct obfuscation of date and time datatypes within the Oracle RDBMS.
The CLOB datatype is stored in the Oracle database as a Character Large Object and is used to hold massive character strings. The Encryption Wizard offers seamless DES and AES encryption for CLOB data-at-rest security.
Oracle's BLOB datatype is stored in the Oracle database as a Binary Large Object and supports large binary information, such as multi-media objects. The Encryption Wizard directly encrypts this raw value using either DES or AES techniques.
To allow for applications to access physically encrypted data, the Encryption Wizard Security Manager can optionally create decrypted views against any table with encrypted data. Decrypted views allow applications to seamlessly read and/or write to encrypted data objects.
Decrypted views update the encrypted base table through an automatically generated transparent database trigger. Decrypted views can be dynamically created and dropped at any time through the Encryption Wizard user interface or the easy-to-use API.
The Encryption Wizard utilizes bit-mapped function indexes in conjunction with Decrypted Views. These automatically generated indexes greatly increase SQL performance on encrypted columns.
The Encryption Wizard offers Security Managers and DBAs the ability to enable session auditing at the schema, table, or column level. Session auditing will record any distinct encryption/decryption (read/write) requests for all user sessions. With this feature, everyone who has attempted to access your encrypted data can be traced down to their session ID..
The Encryption Wizard supplies you with management reports to trace audited activity against your encrypted base tables.
A Restricted User List specifies which users have access to read/write operations on encrypted data. You can specify Restricted User Lists for a given schema, table, or column. With Restricted User Lists, a Security Manager can block any Oracle user from viewing your encrypted data -- even a DBA such as SYS.
To prevent unauthorized access to encypted data-at-rest, the Encryption Wizard Administrator can set an optional password for each colum, table or schema -- this password can also vary from user to user to further enhance seucrity from data-theft.
With the Encryption Wizard, a Security Manager can also set up an administrative password, to insure that an unauthorized DBA cannot use the Encryption Wizard. Likewise, the Encryption Wizard administrator does not require DBA privileges to use the Encryption Wizard.
The Encryption Wizard employs intelligent recovery operations if object encryption fails. Before the data encryption process, the Encryption Wizard will self-diagnose to check for any incomplete Encryption or Decryption operation on the same data object. This allows the administrator to simply continue the operation or back and guards against serious data inconsistency due to partially completed encryption operations that might occur due to an unexpected database event like a shutdown or power-outage.
The Encryption Wizard allows Security Manager to backup encryption keys to a flat-file using a simple GUI interface. These files may be password protected and cannot be moved to any other database other than the Oracle database from which they were created.
Password protected backups enhance the security of your key backup and recovery operations and reduce
chances of data-loss and downtime.
The Encryption Wizard supports your overall security and compliance efforts with simple to use management reports. These reports allow you to view your overall encryption strategy and track or summarize specific auditing events.
All of the Encryption Wizard reports can be exported to HTML or PDF format for formal presentations. We have provided the source-code of these reports to allow for easy modifications to support individual reporting needs.
Feel free to download an evaluation copy of the Encryption Wizard for Oracle today or simply browse the Encryption Wizard User Manual online and our easy to implement API Library Reference Guide. The Encryption Wizard is compatible Sungard/Ellucian banner software as presented in this white paper at the Sungard conference.
If you have comments or questions about the Encryption Wizard for Oracle, or simply need more information, please do not hesitate to call us at (310) 281-1915 or drop us a line at firstname.lastname@example.org.
Copyright - Relational Database Consultants, Inc.
12021 Wilshire Blvd. Suite 108
Los Angeles, CA. 90025
Phone: (310) 281-1915 FAX: (315) 222-1197.