Encrypt Server/Client data in network traffic i.e., whenever client[customer] triggers a query to Oracle Databases[server] the data transfer in the network needs to be encrypted to do that we need to include encryption parameter on server side sqlnet.ora file.
Oracle Advanced Encryption Standard
The purpose of a secure cryptosystem is to convert plaintext data into unintelligible ciphertext based on a key, in such a way that it is very hard (computationally infeasible) to convert ciphertext back into its corresponding plaintext without knowledge of the correct key. In a symmetric cryptosystem, the same key is used both for encryption and decryption of the same data. Oracle Advanced Security provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of Oracle Net Services traffic. In this release, the new Federal Information Processing Standard (FIPS) encryption algorithm, Advanced Encryption Standard (AES), is supported. AES can be used by all U.S. government organizations and businesses to protect sensitive data over a network. This encryption algorithm defines three standard key lengths, which are 128-bit, 192-bit, and 256-bit.
Encryption status according to client and server parameter values is summarized in the following table (ORA-12660 is the error returned by Oracle in these cases):
The tested encryption algorithms were (other ones are available, refer to the documentation above):
- DES: Data Encryption Standard (an old 56 bit encryption method)
- 3DES168: triple DES with a three-key (168 bit) option
- AES128: Advanced Encryption Standard with 128-bit key (currently the most use for data encryption)
- AES256: Advanced Encryption Standard with 256-bit key (currently the most secure)
- RC4_128: RC4 with 128-bit key (RC4 is the international standard for high-speed data encryption)
- RC4_256: RC4 with 256-bit key
Performace Test using AES256 vs 3DES168 algorithms
vi to oracle database sqlnet.ora:
# # Encryption # SQLNET.ENCRYPTION_TYPES_SERVER=(AES256) DISABLE_OOB=on SQLNET.ENCRYPTION_SERVER=REQUIRED DIAG_ADR_ENABLED=OFF
So far, so good. But how do we verify it is working? We can check using a sql query, or we can enable a sqlnet level 16 trace on the client and review trace files with encryption disabled, and with encryption enabled.
Option 1: Query to show encrypted clients
In the query results, look for lines that list ciphers and contain the words “service adapter”. Ignore the other lines. This tells us that encryption and/or integrity checking is active for the connection.
Query 1 : select * from dba_objects ; Collecting the overall 592912 rows from dba_objects with elapsed time using sql developer tool (about 550MB are exchanged on network).
Runtime details
| Algorithm | Elapsed Time | Encryption Pattern |
|---|---|---|
| 3DES168 /ACCEPTED |
SQL_CMD 592912 rows selected. Elapsed: 02:13:23.61 |
(3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 19 73 65 |……se| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 6C 65 63 74 20 2A 20 66 |lect.*.f| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 72 6F 6D 20 64 62 61 5F |rom.dba_| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 6F 62 6A 65 63 74 73 01 |objects.| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| (3668432384) [03-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| |
| 3DES168 /REQUIRED |
SQL_CMD 592912 rows selected. Elapsed: 02:40:34.52 |
618534400) [03-JUL-2018 14:20:08:031] nspsend: packet dump (618534400) [03-JUL-2018 14:20:08:031] nspsend: 00 00 01 2C 06 20 00 00 |…,….| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 00 00 2B 0E A5 DA 0A 31 |..+….1| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 9A 2C 90 A3 20 C1 38 ED |.,….8.| (618534400) [03-JUL-2018 14:20:08:031] nspsend: D5 DE 86 FF BF A8 39 40 |……9@| (618534400) [03-JUL-2018 14:20:08:031] nspsend: B0 47 65 AA 01 16 6A D2 |.Ge…j.| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 4B 62 33 C1 25 5E B7 B2 |Kb3.%^..| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 74 AA 36 AC AB 3A D8 7E |t.6..:.~| (618534400) [03-JUL-2018 14:20:08:031] nspsend: EF 27 81 18 F1 11 84 9B |.’……| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 20 D2 ED 1D E3 A2 81 79 |…….y| (618534400) [03-JUL-2018 14:20:08:031] nspsend: D7 87 8B 28 1D 0C 0A A9 |…(….| (618534400) [03-JUL-2018 14:20:08:031] nspsend: CE 89 39 14 B8 9F 96 28 |..9….(| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 63 2E 44 13 0F EE 48 D7 |c.D…H.| (618534400) [03-JUL-2018 14:20:08:031] nspsend: DC 84 CA 6C 20 D5 28 3C |…l..(<| (618534400) [03-JUL-2018 14:20:08:031] nspsend: F7 48 E3 CB 61 F7 C6 0C |.H..a…| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 08 FF 6C C8 CB 01 30 AE |..l…0.| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 3E 81 C0 73 5C 36 A4 10 |>..s\6..| (618534400) [03-JUL-2018 14:20:08:031] nspsend: 89 22 1B 86 3B F4 C9 AB |.”..;…| |
| AES256 /ACCEPTED |
SQL_CMD 592895 rows selected. Elapsed: 01:55:13.12 |
(3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 19 73 65 |……se| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 6C 65 63 74 20 2A 20 66 |lect.*.f| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 72 6F 6D 20 64 62 61 5F |rom.dba_| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 6F 62 6A 65 63 74 73 01 |objects.| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| (3668432384) [04-JUL-2018 12:58:26:434] nsbasic_bsd: 00 00 00 00 00 00 00 00 |……..| |
| AES256 /REQUIRED |
SQL_CMD 592895 rows selected. Elapsed: 02:05:20.43 |
618534400) [03-JUL-2018 14:20:08:031] nspsend: packet dump (618534400) [04-JUL-2018 14:20:08:031] nspsend: 00 00 01 2C 06 20 00 00 |…,….| (618534400) [04-JUL-2018 14:20:08:031] nspsend: 00 00 2B 0E A5 DA 0A 31 |..+….1| (618534400) [04-JUL-2018 14:20:08:031] nspsend: 9A 2C 90 A3 20 C1 38 ED |.,….8.| (618534400) [04-JUL-2018 14:20:08:031] nspsend: D5 DE 86 FF BF A8 39 40 |……9@| (618534400) [04-JUL-2018 14:20:08:031] nspsend: B0 47 65 AA 01 16 6A D2 |.Ge…j.| (618534400) [04-JUL-2018 14:20:08:031] nspsend: 4B 62 33 C1 25 5E B7 B2 |Kb3.%^..| (618534400) [04-JUL-2018 14:20:08:031] nspsend: 74 AA 36 AC AB 3A D8 7E |t.6..:.~| (618534400) [04-JUL-2018 14:20:08:031] nspsend: EF 27 81 18 F1 11 84 9B |.’……| (618534400) [04-JUL-2018 14:20:08:031] nspsend: 20 D2 ED 1D E3 A2 81 79 |…….y| |
AES256 sql execution runtime is quicker than 3DES168 algorthim since AES256 light weight algorthim and it has inbuilt sorting/comparision is enabled.
DBADEEDS 
Leave a comment