Oracle Advanced Networking Option Administrator's Guide Go to Product Documentation Library
Library
Go to books for this product
Product
Go to Contents for this book
Contents
Go to Index
Index



Go to previous file in sequence Go to next file in sequence

CHAPTER 2. Configuring Encryption and Checksumming


This chapter provides information on the following topics:

The configuration instructions assume that your SQL*Net network software has already been installed and is running.

For more information about SQL*Net, see Understanding SQL*Net. For information on how to create the configuration files needed for Oracle networking products, see the Oracle Network Manager Administrator's Guide.

Note: Configure the Advanced Networking Option release 2.3.2 with Oracle Network Manager 3.1 or above.

See Appendix A for examples of encryption and checksumming parameters in configuration files, which you generate with Oracle Network Manager.

Where to Get Information on Installing the Advanced Networking Option

You can install the Advanced Networking Option when you install other Oracle networking products and then configure everything at once, or you can add it to an already existing SQL*Net version 2 network.

This guide contains generic information on how to configure your already-existing SQL*Net version 2 network to use the Advanced Networking Option. It is meant to be used in conjunction with the guide that describes how to install and configure the Advanced Networking Option on your particular platform.

Known Limitations

The encryption and checksumming features in the Advanced Networking Option release 2.3.2 do not work with the 7.2.2 multi-threaded server (MTS). However, encryption and checksumming work with the 7.2.3 multi-threaded server.

Note: To use the dedicated server, configure it in the initialization file (for example, INIT.ORA). For information on how to configure the dedicated server, see the Oracle7 Server Administrator's Guide.

Benefits of the Advanced Networking Option Encryption and Checksum Algorithms

Following is a discussion of the benefits of using one algorithm over another.

DES Algorithm Provides Standards-Based Encryption

The Advanced Networking Option for Domestic Use provides the DES (Data Encryption Standard) algorithm for customers with specialized encryption needs. DES has been a U.S. government standard for many years and is sometimes mandated in the financial services industry. In most specialized banking systems today, DES is the algorithm used to protect large international monetary transactions. The Advanced Networking Option allows this high-security system to be used to protect any kind of application, without any custom programming.

In a secure cryptosystem, the plaintext (a message that has not been encrypted) cannot be recovered from the ciphertext (the encrypted message) except by using the secret decryption key. In a "symmetric cryptosystem", a single key serves as both the encryption and decryption keys. DES is a secret-key, symmetric cryptosystem: when used for communication, both sender and receiver must know the same secret key, which is used both to encrypt and decrypt the message. DES is the most well-known and widely-used cryptosystem in the world. It has never been broken, despite the efforts of researchers over the last 15 years.

DES40 Algorithm Provided for International Use

The DES40(tm) algorithm, available internationally, is a variant of DES in which the secret key is preprocessed to provide 40 effective key bits. It is designed for use by customers outside the USA and Canada who want to use a DES-based encryption algorithm. This feature gives commercial customers a choice in the algorithm they use, regardless of their geographic location.

RSA RC4 is a Highly Secure, High Speed Algorithm

The RC4(tm) algorithm, developed by RSA Data Security Inc., has quickly become the de-facto international standard for high-speed data encryption. Despite ongoing attempts by cryptographic researchers to "crack" the RC4 algorithm, the only feasible method of breaking its encryption known today remains brute-force, systematic guessing, which is generally infeasible. RC4 is a stream cipher that operates at several times the speed of DES, making it possible to encrypt even large bulk data transfers with minimal performance consequences.

RC4_56 and RC4_128 Can be Used by Domestic Customers

RC4 is a variable key-length stream cipher. The Advanced Networking Option for Domestic Use, release 2.3.2, offers an implementation of RC4 with a 56 bit and a 128 bit key length. This provides strong encryption, with no sacrifice in performance when compared to other key lengths of the same algorithm.

RC4_40 Can be Used by Customers Outside the US and Canada

Oracle has obtained special license to export the RC4 data encryption algorithm with a 40-bit key size to virtually all destinations where other Oracle products are available. This makes it possible for international corporations to safeguard their entire operations with fast, strong cryptography.

Diffie-Hellman-Based Key Management

The secrecy of encrypted data is dependent on the existence of a secret key, shared between the communicating parties. Providing and maintaining such secret keys is known as "key management". In a multi-user environment, secure key distribution may be difficult; public-key cryptography was invented to solve this problem. The Advanced Networking Option use the public-key based Diffie-Hellman key negotiation algorithm to perform secure key distribution for both encryption and crypto-checksumming.

When encryption is used to protect the security of encrypted data, keys should be changed frequently to minimize the effects of a compromised key. For this reason, the Advanced Networking Option key management facility changes the session key with every session.

The MD5 Message Digest Algorithm

Encryption of network data provides data privacy; no unauthorized party is able to view the plaintext data as it passes over the network. The Advanced Networking Option also provides protection against two other forms of attack.

In a data modification attack, an unauthorized party on the network intercepts data in transit, and changes portions of the data before retransmitting. An example of this would be to change the dollar amount of a banking transaction. In a replay attack, an entire set of valid data is repeatedly interjected onto the network. An example would be to repeat a valid bank-account transfer transaction. The Advanced Networking Option uses a keyed, sequenced implementation of the MD5 message digest algorithm to protect against both of these forms of active attack. This protection is activated independently from the encryption features provided.

Domestic and Export Versions

Due to export controls placed on encryption technology, the Advanced Networking Option is available in two versions: a domestic and export version.

The Advanced Networking Option for Export Use contains the Diffie-Hellman key negotiation algorithm, MD5 message digest algorithm, and DES40 and RC4_40 encryption algorithms.

The Advanced Networking Option for Domestic Use contains the Diffie-Hellman key negotiation algorithm, MD5 message digest algorithm, and DES40, DES, RC4_40, RC4_56, and RC4_128 encryption algorithms.

In certain circumstances, a special license may be obtained to export the domestic version. Licenses are generally available to wholly owned subsidiaries of US corporations. Special licences can be obtained to allow banks to have the export version updated to include DES. Export and import regulations vary from country to country and change from time to time, so it is important to check on current restrictions in your area.

Overview of Encryption and Checksumming Configuration Parameters

As a network administrator, you use a series of component property sheets in Network Manager to set the encryption and checksumming configuration parameters. For information about configuring your existing SQL*Net version 2 network to use the Advanced Networking Option, see "Configuring Servers and Clients to Use Encryption and Checksumming" 2 - 13.

After the configuration files are generated and moved to appropriate machines, the SQLNET.ORA files on clients and servers using encryption and checksumming will contain some or all of the parameters listed below, depending on which ones were set in Network Manager. See Appendix A for sample SQLNET.ORA configuration files for clients or servers using the Advanced Networking Option.

Negotiating Encryption and Checksumming

To negotiate whether to turn on encryption or checksumming, you can specify four possible values for four of the Advanced Networking Option configuration parameters. Detailed explanations of their meaning and behavior are given below, preceded by a brief one-sentence explanation.

ACCEPTED Turn on the security service if the other side wants it. My side of the connection does not desire the security service, but it will be allowed if the other side asks with a setting of REQUIRED or REQUESTED. If the other side is set to REQUIRED or REQUESTED and an algorithm match is found, the connection will continue without error and with the security service turned on. If the other side is set to REQUIRED and no algorithm match is found, the connection will terminate with error message 12650.
If the other side is set to REQUESTED and no algorithm match is found, or if the other side is set to ACCEPTED or REJECTED, the connection will continue without error and without the security service enabled. The default value is ACCEPTED. If you do not specify a value for a parameter, it defaults to ACCEPTED.
REJECTED Do not turn on the security service even if the other side wants it. My side of the connection specifies that the security service is not allowed. If the other side specifies REQUIRED, the connection will terminate with error message 12650. If the other side is set to REQUESTED, ACCEPTED, or REJECTED, the connection will continue without error and without the security service enabled.
REQUESTED Turn on the security service if the other side allows it. My side of the connection specifies that the security service is desired, but not required. The security service will be active if the other side specifies ACCEPTED, REQUESTED, or REQUIRED. There must be a matching algorithm available on the other side; otherwise, the service will not be activated. If the other side specifies REQUIRED and there is no matching algorithm, the connection fails.
REQUIRED Turn on the security service or do not make the connection. My side of the connection specifies that the security service must be activated. The connection will fail if the other side specifies REJECTED, or if there is no compatible algorithm on the other side.
Table 2 - 1 below shows whether or not the security service will be turned on based on a combination of client and server configuration parameters. If either the server or client has specified REQUIRED, lack of a common algorithm will cause the connection to fail. Otherwise, if the service would be on, lack of a common service algorithm will result in the service being turned off.

Client
Accepted Rejected Requested Required
Accepted OFF OFF ON ON
Server Rejected OFF OFF OFF connection will fail
Requested ON OFF ON ON
Required ON connection will fail ON ON
Table 2 - 1. Encryption and Checksumming Negotiation Scheme

Note: If Table 2-1 indicates that a service is ON, but a common algorithm is not available to perform the service, the service will not be used. In this case, if either side had specified that the service was to be REQUIRED, the connection will fail.

What the Encryption and Checksumming Parameters Do

There are nine parameters used to turn on encryption and checksumming. Each parameter is described below, and is listed by its Network Manager field name and its parameter name in SQLNET.ORA.

Note: The field names that appear in Network Manager differ from the parameter names as they appear in the SQLNET.ORA file.

Also, you configure these parameters for clients and servers by generating a Client Profile for each set of clients and servers with a particular set of properties. Refer to the Oracle Network Manager Administrator's Guide for more information.

Refer to "Negotiating Encryption and Checksumming" [*] for descriptions of possible values you can specify for four of the parameters.

Level Setting on Server Encryption Page

SQLNET.ENCRYPTION_SERVER = valid_value

This parameter specifies the desired behavior when a client (or a server acting as a client) is connecting to this server. The behavior of the server will depend in part on the SQLNET.ENCRYPTION_CLIENT setting at the other end.

Possible values: ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default value: ACCEPTED

Note: If no value is specified in Network Manager, the Advanced Networking Option defaults this parameter to ACCEPTED (even if this parameter does not exist in the SQLNET.ORA file).

Level Setting on Client Encryption Page

This parameter specifies the desired behavior when this client (or this server acting as a client) is connecting to a server. The behavior of the client will depend in part on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection.

Possible values: ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default value: ACCEPTED

Note: If no value is specified in Network Manager, the Advanced Networking Option defaults this parameter to ACCEPTED (even if this parameter does not exist in the SQLNET.ORA file).

Selected List on Server Encryption Page

SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])

where valid_encryption_algorithm is one of:

RC4_40 RSA RC4 (40-bit key size)

Domestic & International

RC4_56 RSA RC4 (56-bit key size)

Domestic only

RC4_128 RSA RC4 (128-bit key size) Domestic only

DES Standard DES (56-bit key size)

Domestic only

DES40 DES40 (40-bit key size)

Domestic & International

This parameter specifies a list of encryption algorithms this server is allowed to use when acting as a server. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Specify algorithms in the order of desired use, with the most desired algorithm listed first. Each algorithm will be checked against the list of client algorithm types available until a match is found. If an algorithm that is not installed is specified on this side, the connection will terminate with error message 12650.

Default value: All installed algorithms will be used if no algorithms are selected on Server Encryption page.

Domestic version: If you are using the Domestic version, all four algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are selected on the Server Encryption page, the installed algorithms will be used in the following order to negotiate a mutually acceptable algorithm with the other end of the connection: RC4_40, RC4_56, RC4_128, DES, and DES40.

Export version: If you are using the Export version, the following algorithms are installed: RC4_40 and DES40. If no algorithms are selected on the Client Encryption page, the installed algorithms will be used in the following order to negotiate a mutually acceptable algorithm: RC4_40 and DES40.

To change the order of algorithms on the Server Encryption page, use the Demote button.

You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:

SQLNET.ENCRYPTION_TYPES_SERVER=(DES,RC4_56,RC4_128, DES40 
SQLNET.ENCRYPTION_TYPES_SERVER=(RC4_40)

Selected List on Client Encryption Page

SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_encryption_algorithm])

where valid_encryption_algorithm is one of:

RC4_40 RSA RC4 (40-bit key size)

Domestic & International

RC4_56 RSA RC4 (56-bit key size)

Domestic only

DES Standard DES (56-bit key size)

Domestic only

DES40 DES40 (40-bit key size)

Domestic & International

This parameter specifies a list of encryption algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. The parameters can be listed in any order. If an algorithm that is not installed is specified on this side, the connection will terminate with error message 12650.

Default value: All installed algorithms will be used (if no algorithms are selected on Client Encryption page).

Domestic version: If you are using the Domestic version, all four algorithms are installed: RC4_40, RC4_56, DES, and DES40. If no algorithms are selected on the Client Encryption page, the installed algorithms will be used in the following order to negotiate a mutually acceptable algorithm with the other end of the connection: RC4_40, RC4_56, DES, and DES40.

Export version: If you are using the Export version, the following algorithms are installed: RC4_40 and DES40. If no algorithms are selected on the Server Encryption page, the installed algorithms will be used in the following order to negotiate a mutually acceptable algorithm: RC4_40 and DES40.

To change the order of algorithms on the Client Encryption page, use the Demote button.

You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:

SQLNET.ENCRYPTION_TYPES_CLIENT=(DES, DES40, RC4_56, RC4_40)
SQLNET.ENCRYPTION_TYPES_CLIENT=(RC4_40)

Level Setting on Server Checksum Page

SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value

This parameter specifies the desired checksum behavior when a client (or another server acting as a client) is connecting to this server. The resulting behavior will depend in part on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end.

Possible values: ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default value: ACCEPTED

Note: If no value is specified in Network Manager, the Advanced Networking Option defaults this parameter to ACCEPTED (even if this parameter does not exist in the SQLNET.ORA file).

Level Setting on Client Checksum Page

SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value

This parameter specifies the desired checksum behavior when this client (or this server acting as a client) is connecting to a server. The resulting behavior will depend in part on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection.

Possible values: ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default value: ACCEPTED

Note: If no value is specified in Network Manager, the Advanced Networking Option defaults this parameter to ACCEPTED (even if this parameter does not exist in the SQLNET.ORA file).

Selected List on Server Checksum Page

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (crypto_checksum_algorithm [,crypto_checksum_algorithm])

where crypto_checksum_algorithm is:

MD5

Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm. Other algorithms may be supported in future releases.

This parameter specifies a list of the checksumming algorithms this server is allowed to use when acting as a server to a client or another server. This list is used to negotiate a mutually acceptable algorithm with the remote end. Specify algorithms in order of desired use, with the most desired algorithm listed first. Each algorithm will be checked against the list of client algorithm types available until a match is found, which will then be used. If an algorithm is specified that is not installed on this side, the connection will terminate with error message 12650.

Default value: MD5 (currently the only valid value)

Selected List on Client Checksum Page

Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm. Other algorithms may be supported in future releases.

This parameter specifies a list of checksumming algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the remote end. The order in which the algorithms are listed is not important. If an algorithm that is not installed on this side is specified, the connection will terminate with error message 12650.

Default value: MD5 (currently the only valid value)

Encryption on Client Profile General Page

SQLNET.CRYPTO_SEED = "60-70 random characters"

The characters in the Encryption field are used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are. You set this parameter by entering from ten to 70 characters into the Encryption field on the Client Profile General Page in Network Manager, or you can use the default value provided by Network Manager.

Note: It is recommended that you enter as many characters as possible (up to 70) since the resulting key will be more random and therefore stronger.

Note: This parameter must be present in the SQLNET.ORA file whenever encryption or checksumming is turned on.

Configuring Servers and Clients to Use Encryption and Checksumming

You should use Oracle Network Manager to configure encryption and checksumming to work on your SQL*Net version 2 network. This tool is described in detail in the

Edit the Client Profile

Use the sample procedure below to configure clients and servers in your network to use encryption and checksumming. The examples assume that the network consists of, at least, several clients and several servers in a single community.

Note: Sample configuration files for encryption and checksumming are shown in Appendix A. For information on configuring authentication, refer to Chapters 3, 4, and 5 and Appendix C.

Edit the Client Profile for all servers and clients to configure a set of clients and servers with similar characteristics. Refer to Figure 2 - 1 through Figure 2 - 5.

Attention: You use the Client Profile to configure the Advanced Networking Option parameters for both servers and clients.

Figure 2 - 1. Editing Client Profile to Set the Encryption Seed

Attention: For added security, Oracle recommends that you enter your own value for the encryption seed--do not use the default. Network Manager will generate a new encryption seed every time new configuration files are generated.

Figure 2 - 2. Editing Client Profile to Set Up Encryption for a Set of Clients

Figure 2 - 3. Editing Client Profile to Configure Encryption for a Set of Servers

Note: If you do not specify any encryption algorithms on either the Server Encryption or Client Encryption pages, the Advanced Networking Option will default to the RC4_40 encryption algorithm.

Figure 2 - 4. Editing Client Profile to Configure Checksumming for a Set of Clients

Figure 2 - 5. Editing Client Profile to Configure Checksumming for a Set of Servers

Note: Demote only applies to the server side of the connection--not the client side. (The algorithm list on the server side is searched to determine a match between the server and client.)

Note: If you want to create a subset of servers and clients that has different parameters in effect, create another Client Profile with a different name. For example, if you want to require encryption for some clients and servers but not others, you could create another client profile with encryption set to REQUIRED.

You have just configured all servers and clients in the current client profile to use encryption and checksumming. Similarly, you have just configured all servers in the current client profile to act as encryption and checksumming servers.

Validate the Network Configuration

(Optional but recommended.) Select Validate from the File menu of the Oracle Network Manager menu bar to verify that the information you entered is consistent and complete.

Save the Network Definition

Save the network definition to disk by selecting Save from the File menu in the Oracle Network Manager menu bar.

Generate Configuration Files for Network Definition

Select Generate from the File menu of the Oracle Network Manager menu bar to create the new configuration files for your network. The Network Manager will generate the configuration files in directories for each server profile and client profile. Refer to Appendix A in this guide for a sample SQLNET.ORA configuration file which the Advanced Networking Option clients and servers will use.

Note: For a sample of how the SQLNET.ORA file would look after performing the previous actions, see "Sample SQLNET.ORA Configuration Files for Clients and Servers" in Appendix A.

Distribute the Configuration Files to Network Nodes

Distribute the files to the appropriate locations on your network. For more information, see "Distributing the Configuration Files" in the Oracle Network Manager Administrator's Guide.




Go to previous file in sequence Go to next file in sequence
Prev Next
Oracle
Copyright © 1996 Oracle Corporation.
All Rights Reserved.
Go to Product Documentation Library
Library
Go to books for this product
Product
Go to Contents for this book
Contents
Go to Index
Index