Secure Sockets Layer and Oracle 11g Security
December 3, 2009
Much of the communication between client and server, in an Oracle environment, is unsecured and clear-text. With Oracle Advanced Security and Secure Sockets Layer, network traffic and communication between user and database can become more secured.
Secure Sockets Layer (SSL) is a cryptographic protocol that provides security for communication over the network by encrypting segments of network connections at the transport layer end-to-end. The purpose for SSL is to allow client-server applications to communicate in a secure fashion across the networkpreventing eavesdropping, tampering, and message spoofing. In Oracle, authentication is supported by using Oracle Advanced Security with digital certificates over SSL as well as additional capabilities of these products. The use of Oracle Advanced Security over SSL helps secure communications in a client-server environment by encryption between a client and server as well as authenticating the client or server.
To work in an Oracle environment there is a SSL handshake between client and server that validates authentication and includes the following steps:
1. Client and server determine which cipher suite is being used. A cipher suite is just a set of authentication, encryption, and data integrity algorithms that will be used for exchanging messages back and forth.
2. Server will send a certificate to the client that the client then uses to verify a servers identity.
3. Client will send a certificate, if needed, to verify its identity.
4. Client and server exchange key information using a public key, which will generate a session key that will be used for encryption between client and server for the duration of the communication session.
5. When a handshake is successful the server will verify a user has appropriate authorization to access the database.
Within and Oracle environment, Oracle makes use of a Public Key Infrastructure (PKI) that enables network entities to access security services. Instead of the traditional private-key or symmetric-key implementation that is difficult to secure keys, Oracle implements a public-key cryptography that distributes securely a public and private key pair where a public key is used to encrypt traffic that can then only be decrypted by a holder of the private key. This private key is stored with other credentials in an encrypted container called a wallet. While a public-key may guarantee the security of a message, it does not guarantee a secure communication between client and server. To do this, verification of the public-key is done through an authentication process called certificate authority (CA) which is a third party trusted by both client and server. To help clarify, here is a brief explanation of each of the PKI components:
Certificate Authority (CA) is nothing more than a trusted third party that issues a digital certificate for use by other parties. By default, Oracle uses trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when wallets are created. This third party will certify the identity of parties, such as a client and server, by granting a signed (CAs private key) certificate to a requesting party after verifying identity. For communication to work, each party, after validating with a CA, will validate that the other has one of these signed certificates from a CA.
Certificate is an electronic document, a signed (by a CA) public key from an entity, which will use a digital signature to ensure an partys information is correct and that the public key provided actually belongs to that party. This certificate will remain valid until it expires or until revoked.
Certificate Revocation Lists whenever a CA signs a certificate that certificate is only valid for a specific period of time. When events happen that compromise the validity of private keys and thus render a certificate invalid before the pre-assigned expiration period a CA will revoke the certificate and add the serial number to a Certificate Revocation List (CRL). These CRLs are then periodically published by CAs so that the user community knows when a certain public key is no longer acceptable. For an Oracle environment, clients and servers will validate the certificate by checking the expiration date, signature, and this revocation status against published CRLs if this option has been turned on. CRLs are searched either on the local file system, Oracle Internet Directory, or a CRL Distribution Point.
Wallets straight from the Oracle documentation set: a wallet is a container that will be used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, every party that wants to communicate over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates. Wallets are managed by Oracle Wallet Manager on both the server and client to generate public-private key pairs and create a certificate request, store a user certificate that matches with the private key, and configure trusted certificates.
Hardware Security Modules Oracle Advanced Security can make use on the server side hardware boxes where keys are stored in the box and managed by using tokens or on the client side by smart card readers, which store private keys on tokens. These hardware security modules are then used to store cryptographic information, perform cryptographic operations through the use of APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11 specification.
Much of the communication between client and server, in an Oracle environment, is unsecured and clear-text. With Oracles Advanced Security and Secure Sockets Layer, the same networking protocol that Web servers used when protecting transactions can be employed to secure network traffic. With any add-on, and adding on the SSL protocol is no different, there is a price to pay in the way of responsiveness and encryption, decryption, and certificate handling does require additional CPU cycles. However, if you need to secure traffic between users and database, SSL might be the way to go. While this article has introduced the basics and hopefully given you an idea of the components for SSL, the next article will provide a step-by-step setup of SSL in an Oracle environment.