1
Introduction to Oracle Advanced Security

This chapter introduces the Oracle Advanced Security option encryption, checksumming, and authentication features. These features are available to network products using Net8, including Oracle8i, Designer 2000, Developer 2000, and any other Oracle or third-party products that support Net8.

Topics covered in this chapter:

• About the Oracle Advanced Security Option

• Architecture of the Oracle Advanced Security Option

• Secure Data Transfer Across Network Protocol Boundaries

• System Requirements

• Oracle Configuration for Network Authentication

• Oracle Products Not Yet Supported

About the Oracle Advanced Security Option

The Oracle Advanced Security option (formerly Secure Network Services and Oracle Advanced Networking Option) provides a comprehensive suite of security features to protect enterprise networks and securely extend corporate networks to the Internet. The Oracle Advanced Security option provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. By integrating industry standards, it delivers unparalleled security to the Oracle network and beyond.

Network Security in a Distributed Environment

Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a national or global scale, based on Net8 and Oracle8i. This proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on computers. Employee records, financial records, product testing information, and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that may be compromised.

The increased distribution of data in these environments brings with it some serious security threats:

• Data tampering--Distributed environments bring with them the possibility that a malicious third party can execute a computer crime by actually tampering with data as it moves between sites.

• Eavesdropping and data theft--Over the Internet and in Wide Area Network (WAN) environments, both public carriers and private network owners often route portions of their network through insecure land lines, extremely vulnerable microwave and satellite links, or a number of servers, leaving valuable data open to view for any interested party. In Local Area Network (LAN) environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them.

• Falsifying user identities--In a distributed environment, it becomes more feasible for a user to falsify an identity to gain access to sensitive and important information. How can you be sure that user Smith connecting to Server A from Client B really is user Smith?

  Moreover, in distributed environments, malefactors may hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and routed instead to a terminal masquerading as Server B.

• Administering too many passwords--In a distributed system, users may need to remember multiple passwords for the different applications and services that they use. For example, a developer may have access to an application in development on a workstation, a production system on a mini-computer, a PC for creating documents, and several mini-computers or workstations for testing, reporting bugs, configuration management, and so on. Administration of all these accounts and passwords is complex and time-consuming.

  Users generally respond to multiple accounts in one of two ways:

  • If they can choose their own passwords, they may standardize them so that they are the same on all machines. This results in a potentially large exposure in the event of a compromised password. Or they may use passwords with slight variations that can be easily guessed from knowing one password.

  • Users with complex passwords may simply write them down or forget them.

  Either strategy severely compromises password secrecy and service availability.

Features of the Oracle Advanced Security Option

The Oracle Advanced Security option protects against these threats to the security of distributed environments. Specifically, the Oracle Advanced Security option provides the following features, each of which is described in the next few pages.

• Data Integrity--to ensure that data is not modified during transmission

• Data Privacy--to ensure that data is not disclosed during transmission

• Authentication--to ensure that users', hosts', and clients' identities are correctly known, and to provide for single sign-on capability in place of using multiple passwords

• Authorization--to ensure that a user, program, or process receives the appropriate privileges to access an object or set of objects

Data Integrity

To ensure that data has not been modified, deleted, or replayed during transmission, the Oracle Advanced Security option optionally generates a cryptographically secure message digest--through cryptographic checksums using the MD5 algorithm--and includes it with each packet sent across the network.

Moreover, the SSL feature of the Oracle Advanced Security option allows the use of the Secure Hash Algorithm (SHA). SHA is slightly slower than MD5, but produces a larger message digest to make it more secure against brute-force collision and inversion attacks.

Data Privacy

The Oracle Advanced Security option ensures data privacy through both RSA and DES encryption.

• RSA Encryption--An encryption module that uses the RSA Data Security RC4^TM encryption algorithm. Using a secret, randomly-generated key for every session, all network traffic is fully safeguarded--including all data values, SQL statements, and stored procedure calls and results. The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40 bits, 56 bits, and 128 bits.

  Since the Oracle Advanced Security option RSA RC4 40-bit implementation meets the U.S. government export guidelines for encryption products, Oracle provides an export version of the media and exports it to all but a few countries, allowing most companies to safeguard their entire worldwide operations with this software.

• DES (Data Encryption Standard) Encryption--The U.S. Data Encryption Standard required for financial and many other institutions. The Oracle Advanced Security option for Domestic Use offers a standard, optimized 56-bit key DES encryption algorithm. Due to current U.S. government export restrictions, standard DES is initially available only to customers located in the U.S.A. and Canada. For customers located outside the U.S.A. and Canada, the Oracle Advanced Security option for Export Use also offers DES40, a version of DES which combines the standard DES encryption algorithm with the international availability of a 40-bit key. Selecting the algorithm to use for network encryption is a user configuration option, allowing varying levels of security and performance for different types of data transfers.

  More Information: For more information on encryption and checksumming, see Chapter 2, "Configuring Encryption and Checksumming" and Appendix A, "Encryption and Checksumming Parameters".

Authentication

Establishing user identity is also of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. The Oracle Advanced Security option release 8.1.5 provides authentication through Oracle authentication adapters that support third-party authentication services such as Kerberos, CyberSafe TrustBroker (a Kerberos-based authentication server), SecurID, Identix TouchNet II, and RADIUS. These adapters are described later in this chapter.

Centralized Authentication

Many of the Oracle Advanced Security option authentication methods use centralized authentication. This can give you high confidence in the identity of users, clients, and servers in distributed environments. Having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of nodes on a network faking their identities.

Centralized authentication can also provide the benefit of single sign-on for users. Single sign-on allows users to access multiple accounts and applications with a single password, eliminates the need for multiple passwords, and simplifies management of user accounts and passwords for system administrators.

Note: Oracle Corporation does not provide centralized authentication servers. Rather, it supports only the authentication services provided through other vendors' security services or third-party Kerberos-based servers such as CyberSafe. For a list and brief description of authentication methods supported by the Oracle Advanced Security option, see "Authentication Methods Supported".

How Centralized Authentication Works

Figure 1-1 illustrates how a centralized network authentication service typically operates.

Figure 1-1 How a Network Authentication Service Authenticates a User

Authentication Methods Supported

The Oracle Advanced Security option supports the following authentication methods:

SSL--SSL (Secure Sockets Layer) is an industry standard protocol for securing network connections. SSL provides for authentication, encryption, and data integrity.

You can use the SSL feature of the Oracle Advanced Security option to secure communications between any client and any server. Specifically, you can use SSL to authenticate:

• any client or server to one or more Oracle servers

• an Oracle server to any client

You can use SSL features by themselves or in combination with other authentication methods supported by the Oracle Advanced Security option. For example, you can use SSL along with Kerberos, using the encryption provided by SSL in combination with the Kerberos authentication method.

You can configure SSL to require server authentication only, or both client and server authentication.

RADIUS--RADIUS (Remote Authentication Dial-In User Service), a client-server security protocol, is most widely known for enabling remote authentication and access. The Oracle Advanced Security option uses this emerging standard in a client-server network environment to enable use of any authentication method that supports the RADIUS protocol. You can use RADIUS with a variety of authentication methods, including token cards and smartcards.

Kerberos and CyberSafe--The Oracle Advanced Security option support for Kerberos and CyberSafe provides the benefits of single sign-on and centralized authentication in an Oracle environment. Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure. It provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through Kerberos authentication and through the CyberSafe TrustBroker, a Kerberos-based authentication server.

Note: Oracle authentication for Kerberos provides database link authentication (also called "proxy authentication"). CyberSafe and SecurID do not provide support for proxy authentication.

Smartcards (RADIUS-Compliant)--This authentication method uses a hardware device that looks much like a credit card. It has memory and a processor and is read by a smartcard reader located at the client workstation.

Smartcards offer the following benefits:

• Increased security--The smartcard relies on two-factor authentication. The smartcard can be locked, and only the user possessing the card and knowing the correct PIN can unlock it.

• Improved performance--Some sophisticated smartcards contain hardware-based encryption chips that can provide better throughput than software-based implementations. A smartcard can store a user name.

• Accessibility from any workstation--The user logs in simply by inserting the smartcard in a hardware device which reads the card and prompts the user for whatever authentication information the card requires, for example, a PIN. Once the user enters the correct authentication information, the smartcard generates and enters whatever other authentication information is required.

Token Cards (SecurID and RADIUS-Compliant)--Token cards can provide improved ease-of-use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user then types into a token card. The token card provides a response, namely, another number cryptographically-derived from the challenge, which the user then offers to the server.

Token cards provide the following benefits:

• Ease of use--Users need only remember, at most, a personal identification number (PIN) instead of multiple passwords.

• Ease of password management--This is because there is one token card rather than multiple passwords.

• Enhanced password security--To masquerade as a user, a malefactor would have to have the token card as well as the PIN required to operate it.

• Enhanced accountability--Token cards provide a stronger authentication mechanism.

You can use SecurID tokens through either SecurID or through RADIUS.

Bull ISM--ISM (Integrated System Management) is an offering of Bull Worldwide Information Systems that provides system administrators with a variety of management tools. This authentication method is available on the AIX platform only. See your AIX-specific documentation for more information.

Biometric Authentication (Identix)--Identix Biometric Authentication is used on both the clients and Oracle servers to communicate biometric authentication data between the authentication server and the clients.

Authorization

User authorization, already a standard features of Oracle8i, is significantly enhanced by using the authentication methods supported by the Oracle Advanced Security option. For example, on certain platforms such as Solaris, the Oracle Advanced Security option supports authorization with DCE.

Architecture of the Oracle Advanced Security Option

The Oracle Advanced Security option is an add-on product to a standard Net8 Server or Net8 Client. Figure 1-2 shows the location of the Oracle Advanced Security option within a typical stack in an Oracle networking environment.

More Information: For more information on stack communications in an Oracle networking environment, see Net8 Administrator's Guide.

Figure 1-2 Oracle Advanced Security in an Oracle Networking Environment

The Oracle Advanced Security option supports authentication through adapters that are very much like the existing Oracle protocol adapters. As Figure 1-3 shows, authentication adapters integrate below the Net8 interface and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.

Figure 1-3 Net8 with Authentication Adapters

Secure Data Transfer Across Network Protocol Boundaries

The Oracle Advanced Security option is fully supported by the Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for instance, can now securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.

System Requirements

The Oracle Advanced Security option is an add-on product to standard Net8 Server or Net8 Client. It is an extra cost item, and, to be functional, must be purchased on both the client and the server.

The Oracle Advanced Security option release 8.1.5 requires Net8 release 8.1.5.

The Oracle Advanced Security option release 8.1.5 supports Oracle 8i Enterprise Edition.

TrustBrokerInstall the Oracle Advanced Security option on all clients and servers where the Oracle Advanced Security option is required.

Note: The Oracle Advanced Security option release 8.1.5 provides secure communication when used with earlier releases (such as 1.0 and 1.1); however, the security functionality defaults to that provided by the earlier release.

Authentication Method	System Requirements
SSL	A wallet that is compatible with the Oracle Wallet Manager, release 1.3-beta. Wallets created on earlier releases of the Oracle Wallet Manager are not forward compatible.
CyberSafe TrustBroker	CyberSafe GSS Runtime Library, version 1.1 or later, installed on both the machine that runs the Oracle client and on the machine that runs the Oracle server. CyberSafe TrustBroker, release 1.2 or later installed on a physically secure machine that will run the authentication server. CyberSafe TrustBroker Client, release 1.2 or later installed on the machine that runs the Oracle client.
Kerberos	MIT Kerberos Version 5, release 1.0 The Kerberos authentication server must be installed on a physically secure machine.
SecurID	ACE/Server 1.2.4 or higher running on the authentication server.
Identix Biometric	Identix hardware and driver installed on each Biometric Manager station and client.
RADIUS	A RADIUS server that is compliant with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. If you want to enable challenge-response authentication, you must run RADIUS on a platform which supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft.

Oracle Configuration for Network Authentication

This section discusses parameters you set when configuring Oracle for network authentication. Specifically, it discusses the following tasks:

• Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in SQLNET.ORA

• Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE

• Setting OS_AUTHENT_PREFIX to a Null Value

  More Information: For more specific information on configuring a particular authentication method, see that method's corresponding chapter in this Guide.

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in SQLNET.ORA

For clients and servers to be able to use an Oracle authentication method, the following parameter must be in the sqlnet.ora file:

SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)

For example, the following parameter must be set in the sqlnet.ora files on all clients and servers that use the Kerberos Authentication:

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)

Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE

Attention: Setting REMOTE_OS_AUTHENT to TRUE may create a security hole, because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).

It is strongly recommended that, when configuring the Oracle authentication methods, you add the following parameter to the initialization file used for the database instance:

REMOTE_OS_AUTHENT=FALSE

If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation will fail, and the connection will be terminated.

If the following parameter is set in the sqlnet.ora file on either the client or server side:

SQLNET.AUTHENTICATION_SERVICES=(NONE)

the database will attempt to use the provided user name and password to log the user in. However, if REMOTE_OS_AUTHENT is set to FALSE, the connection will fail.

Setting OS_AUTHENT_PREFIX to a Null Value

Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the init.ora file used for the database instance:

OS_AUTHENT_PREFIX=""

Note: The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string.

Attention: If a database already has the OS_AUTHENT_PREFIX set to a value other than NULL ("") do not change it, since it could result in previously created externally-identified users not being able to connect to the Oracle server.

To create a user, launch SQL*Plus and type:

SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;

When OS_AUTHENT_PREFIX is set to a null value (""), you would create the user "king" with the following command:

SQL> CREATE USER king IDENTIFIED EXTERNALLY;

The advantage of creating a user in this way is that the administrator no longer needs to maintain different user names for externally-identified users.

Note: This applies to creating Oracle users for use with all Oracle authentication methods.

More Information: See Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems.

Oracle Products Not Yet Supported

The Oracle Advanced Security option requires Net8 to transmit data securely. Accordingly, the Oracle Advanced Security option's authentication features are not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the Windows platform. The portions of these products that use Oracle Display Manager (ODM) cannot yet take advantage of the Oracle Advanced Security option, since ODM does not currently use Net8.

---