Oracle Advanced Networking Option Administrator's Guide Go to Product Documentation Library
Library		 Go to books for this product
Product		 Go to Contents for this book
Contents		 Go to Index
Index


Go to previous file in sequence Go to next file in sequence

APPENDIX B. Encryption Enhancements

This appendix contains information on the following encryption enhancements included in Oracle Advanced Networking Option release 2.3.2:

These enhancements are described in this appendix, along with information on how to configure them.

System Requirements

The site-specific Diffie-Hellman and the authentication key fold-in encryption features in the Advanced Networking Option release 2.3.2 require Oracle Server 7.2.3 or above and SQL*Net 2.3 or above.

Known Limitations

The encryption and crypto-checksumming features in the Advanced Networking Option release 2.3.2 will not work with the 7.2.2 multi-threaded server. However, they will work fully with the 7.2.3 multi-threaded server.

Overview of Site-Specific Diffie-Hellman Encryption Enhancement

All of the Secure Network Services releases (1.0, 1.1, and 2.0) and Oracle Advanced Networking Option (release 2.3.2) include the Diffie-Hellman key negotiation algorithm to choose keys used both for encryption and for crypto-checksumming.

A key is a secret shared by both sides of the connection and by no one else. Without the key, it is extremely difficult to decrypt an encrypted message or to tamper undetectably with a crypto-checksummed message. Diffie-Hellman is subject to a particular computationally-expensive table-based attack. Site-specific Diffie-Hellman, on the other hand, lowers the effectiveness of this attack by enabling the Diffie-Hellman parameters at each site to be changed frequently.

The system administrator can lessen the consequences of this attack by running a parameter generation program called naegen to change the default Diffie-Hellman parameters. The Advanced Networking Option server will then use the modified parameters to establish a Diffie-Hellman session key with the Advanced Networking Option client. If the Diffie-Hellman parameters do not exist, the Advanced Networking Option server will use its default parameters.

How to Generate the Diffie-Hellman Parameters with naegen

Note: The naegen utility uses the snsdh.ora parameter file, whose location may vary depending on your platform. For example, the default file location for the snsdh.ora file on the UNIX platform is $ORACLE_HOME/network/admin.

You can use the naegen utility to generate the new Diffie-Hellman parameters. naegen takes as an argument either zero or an integer argument in the range of 256 to 512, for example: 

	naegen 300

This argument represents the number of bits in those parameters. If you do not provide an argument to naegen, naegen generates 512-bit parameters. If a number lower than 256 is provided as the argument, naegen will generate 256-bit parameters. Once it has generated the parameters, naegen stores them in snsdh.ora which is then read by the Advanced Networking Option server to be used in key negotiation. Note that every time the administrator runs naegen, the values in the snsdh.ora file will be different.

If you are using a 40-bit key such as RC4_40, you should provide naegen an argument of 300 or greater. If you are using a 56-bit key such as DES, you should provide an argument of 512.

Although using different Diffie-Hellman parameters for each connection is preferred for better security, it is not feasible because naegen can take up to 4 minutes to generate the necessary parameters, depending on the parameter size. Therefore, it is recommended that network administrators generate the parameters once a day. Optionally, you could generate the parameters once a week or once a month.

Overview of Authentication Key Fold-in Encryption Enhancement

The purpose of the Authentication Key Fold-in encryption enhancement is to defeat a possible "middle-man attack" on the Diffie-Hellman key negotiation. It strengthens the session key significantly by combining a shared secret (which is known only to both the client and the server), with the original session key negotiated by Diffie-Hellman.

The client and the server begin communicating using the session key generated by Diffie-Hellman. When the client authenticates itself to the server, there is a shared secret that is only known to both sides. The Advanced Networking Option then combines the shared secret and Diffie-Hellman session key to generate a stronger session key that would defeat the middle-man, who has no way of knowing the shared secret.

Authentication Key Fold-in Feature Requires No Configuration

The authentication key fold-in encryption enhancement feature is included in the Advanced Networking Option release 2.3.2 and requires no configuration by the system or network administrator.

Strong 128-bit Encryption

This release of ANO provides support for 128-bit encryption with the RSA RC4 algorithm. This feature provides very strong encryption security for transmitted data.


Go to previous file in sequence Go to next file in sequence
Prev Next		 Oracle
Copyright © 1996 Oracle Corporation.
All Rights Reserved.		 Go to Product Documentation Library
Library		 Go to books for this product
Product		 Go to Contents for this book
Contents		 Go to Index
Index