On Sun, Nov 11, 2012 at 7:34 AM, Florian Weimer <[email protected]> wrote: > * Kevin W. Wall: > >> Oracle TDE is being looked at as oneoption because it is thought to be >> more or less transparent to application itself and its JDBC code. > > If it's transparent, it's unlikely to help against relevant attacks, > such as dumping the database over JDBC after the application server > has been compromised. Non-cryptographic approaches, such > database-level access controls, seem better suited for this task > (assuming that the database has been set up in a suitable fashion and > is itself robust enough to withstand attacks over the client > interface).
Of course; the threat model that Oracle TDE supposedly addresses does nothing to address SQLi vulnerabilities. Even having the encryption being done by the application does not necessarily mitigate that attack vector in all situations. As usual, that is best handled by ensuring the use of "prepared statements" (aka, parameterized queries). At first I thought that the attack vector that Oracle TDE was intended to address was that of a rogue DBA with access to the database just dumping sensitive data from the DB. I got that impression because of Oracle's documentation recommends having a separate "security administrator". However, as I thought about it, it seems that this really right either. Anyone that has SELECT ability on the table's encrypted column can dump the encrypted sensitive data. Even if a DBA for this database didn't have SELECT privilege directly, it would seem that indirectly they could create another DB user that *did* have the needed SELECT access and smash & grab of the sensitive data that way. So looking back at it, I'm not really sure what threat Oracle TDE is supposed to prevent. Perhaps an OS administrator stealing the data? Possibly. More likely it was there to satisfy some inept auditor's checklist mentality to security. A lot of security in the real world is of this CYA variety, so it wouldn't surprise me in the least. That doesn't always mean that CYA security approaches are always pointless though. In the event of lawsuits resulting from some data breach, such approaches often are considered following best practice and thus considered doing due diligence, thus keeping you from getting sued for negligence and paying treble damages. I'm leaning heavily towards making the application handle the encryption, but I think it depends on how much they have left in the budget for this change request. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
