Skip Headers

Oracle Advanced Security Administrator's Guide
Release 2 (9.2)

Part Number A96573-01
Go To Documentation Library
Go To Product List
Book List
Go To Table Of Contents
Go To Index

Master Index


Go to previous page Go to next page

Introduction to Oracle Advanced Security

This chapter introduces Oracle Advanced Security and describes its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle9i, Oracle Designer, and Oracle Developer.

This chapter contains the following topics:

About Oracle Advanced Security

Oracle Advanced Security provides a comprehensive suite of security features to protect enterprise networks and securely extend corporate networks to the Internet. It provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. By integrating industry standards, it delivers unparalleled security to the Oracle network.

This section contains the following topics:

Security in an Intranet or Internet Environment

Oracle databases power the largest and most popular web sites on the Internet. In record numbers, organizations throughout the world are deploying distributed databases and client/server applications based on Oracle9i and Oracle Net Services. This proliferation of distributed computing is matched by an increase in the amount of information that organizations place on computers. Employee and financial records, customer orders, product information, and other sensitive data have moved from filing cabinets to file structures. The volume of sensitive information on the web has thus increased the value of data that can be compromised.

Security Threats

The increased volume of data in distributed environments exposes users to a variety of security threats, including the following:

Eavesdropping and Data Theft

Over the Internet and in wide area network environments, both public carriers and private networks route portions of their network through insecure land lines, vulnerable microwave and satellite links, or a number of servers-- exposing valuable data to interested third parties. In local area network environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them, and network sniffers can be installed to eavesdrop on network traffic.

Data Tampering

Distributed environments bring with them the possibility that a malicious third party can compromise integrity by tampering with data as it moves between sites.

Falsifying User Identities

In a distributed environment, it is more feasible for a user to falsify an identity to gain access to sensitive information. How can you be sure that user Pat connecting to Server A from Client B really is user Pat?

Moreover, in distributed environments, malefactors can hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and re-routed to a terminal masquerading as Server B.

Password-Related Threats

In large systems, users typically must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending email, and several computers or intranet sites for testing, reporting bugs, and managing configurations.

Users typically respond to the problem of managing multiple passwords in several ways:

All of these strategies compromise password secrecy and service availability. Moreover, administration of multiple user accounts and passwords is complex, time-consuming, and expensive.

Oracle Advanced Security Features

Oracle Advanced Security provides data privacy, integrity, authentication, single sign-on, and access authorization in a variety of ways.

For example, you can configure either Oracle Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced Security also provides the choice of several strong authentication methods, including Kerberos, smart cards, and digital certificates.

Oracle Advanced Security features are described in the following sections:

Data Privacy

Oracle Advanced Security protects the privacy of data transmissions through the following encryption methods:

Selection of the network encryption method is a user configuration option, providing varying levels of security and performance for different types of data transfers.

Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export--each with different key lengths. Release 2 (9.2) now contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release.


The U.S. government has relaxed its export guidelines for encryption products. Accordingly, Oracle can now ship Oracle Advanced Security with its strongest encryption features--to virtually all of its customers.

RC4 Encryption

The RC4 encryption module uses the RSA Security, Inc. RC4 encryption algorithm. Using a secret, randomly-generated key unique to each session, all network traffic is fully safeguarded--including all data values, SQL statements, and stored procedure calls and results. The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40-bits, 56-bits, 128-bits, and 256-bits.

DES Encryption

The U.S. Data Encryption Standard algorithm (DES) uses symmetric key cryptography to safeguard network communications. Oracle Advanced Security implements DES with a standard, optimized 56-bit key encryption algorithm, and also provides DES40, a 40-bit version, for backward compatibility.

Triple-DES Encryption

Oracle Advanced Security also supports Triple-DES encryption (3DES), which encrypts message data with three passes of the DES algorithm. 3DES provides a high degree of message security, but with a performance penalty--the magnitude of which is dependent upon on the speed of the processor performing the encryption; 3DES typically takes three times as long to encrypt a data block as compared with the standard DES algorithm.

3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block Chaining (CBC) mode.

Advanced Encryption Standard

Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication 197, Advanced Encryption Standard (AES) is a new cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode.

Federal Information Processing Standard

Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This provides independent confirmation that Oracle Advanced Security conforms to federal government standards. FIPS configuration settings are described by Appendix D, Oracle Advanced Security FIPS 140-1 Settings.

See Also:

Data Integrity

To ensure the integrity of data packets during transmission, Oracle Advanced Security can generate a cryptographically secure message digest--using MD5 or SHA encryption algorithms--and include it with each message sent across a network.

Data integrity algorithms add little overhead, and protect against the following attacks:


Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common authentication method, and Oracle Advanced Security provides enhanced user authentication through several third-party authentication services, and through the use of SSL and digital certificates (See: Figure 1-1).

Many Oracle Advanced Security authentication methods use centralized authentication. This can give you high confidence in the identity of users, clients, and servers in distributed environments. Having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of nodes on a network falsifying their identities.

How Centralized Network Authentication Works

Figure 1-1 shows how a centralized network authentication service typically operates:

Figure 1-1 How a Network Authentication Service Authenticates a User

Text description of ano81012.gif follows.

Text description of the illustration ano81012.gif

  1. A user (client) requests authentication services and provides identifying information, such as a token or password.
  2. The authentication server validates the user's identity and passes a ticket or credentials back to the client--which may include an expiration time.
  3. The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database.
  4. The server sends the credentials back to the authentication server for authentication.
  5. If the authentication server accepts the credentials, it notifies the Oracle Server; the user is authenticated.
  6. If the authentication server does not accept the credentials, authentication fails and the service request is denied.

Supported Authentication Methods

Oracle Advanced Security supports the following authentication methods:

Secure Sockets Layer

Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity, and it contributes to a public key infrastructure (PKI).

Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide server authentication only, client authentication only, or both client and server authentication.

SSL uses digital certificates (X.509 v3), and a public/private key pair to authenticate users and systems.

SSL features can be used by themselves or in combination with other authentication methods supported by Oracle Advanced Security.


Oracle Advanced Security supports the public key infrastructure provided by the Entrust/PKI software from Entrust Technologies, Inc. Entrust-enabled Oracle Advanced Security lets Entrust users incorporate Entrust single sign-on into their Oracle applications, and it lets Oracle users incorporate Entrust-based single sign-on into Oracle applications.

Remote Authentication Dial-In User Service

Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanced Security uses this standard in a client/server network environment to enable use of any authentication method that supports the RADIUS protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards, smart cards, and Biometrics.

Kerberos and CyberSafe

Oracle Advanced Security support for Kerberos and CyberSafe provides the benefits of single sign-on and centralized authentication of Oracle users. Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server, or through Cybersafe Active Trust, a commercial Kerberos-based authentication server.


Oracle authentication for Kerberos provides database link authentication (also called proxy authentication). CyberSafe does not support proxy authentication.

Smart Cards

A RADIUS-compliant smart card is a credit card-like hardware device. It has memory and a processor and is read by a smart card reader located at the client workstation.

Smart cards provide the benefits described in Table 1-1.

Table 1-1 Smart Card Benefits  
Benefit Description

Enhanced password security

Smart cards rely on two-factor authentication. The smart card can be locked, and only the user who (i) possesses the card and (ii) knows the correct personal identification number (PIN) can unlock it.

Improved performance

Some sophisticated smart cards contain hardware-based encryption chips that can provide better throughput than software-based implementations. A smart card can also store a user name.

Accessibility from any workstation

Users log in by inserting the smart card in a hardware device that reads the card and prompts the user for whatever authentication information the card requires, such as a PIN. Once the user enters the correct authentication information, the smart card generates and enters whatever other authentication information is required.

Ease of use

Users need only remember a PIN--instead of multiple passwords.

Token Cards

Token cards (SecurID or RADIUS-compliant) can improve ease of use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) that the user enters into a token card. The token card provides a response (another number cryptographically derived from the challenge) that the user enters and sends to the server.

Token cards provide the benefits described in Table 1-2.

Table 1-2 Token Card Benefits
Benefit Description

Enhanced password security

To masquerade as a user, a malefactor must have the token card as well as the personal identification number (PIN) required to operate it. This is called two-factor authentication.

Ease of use

Users need only remember a PIN--instead of multiple passwords.

Enhanced accountability

Token cards provide a stronger authentication mechanism; users are thus more accountable for their actions.

Access from any workstation

Users can log on from any workstation using their PIN, which provides strong, two-factor authentication without any additional hardware devices.

You can use SecurID tokens through the RADIUS adapter.

Single Sign-On

Centralized authentication can enable a single, integrated user sign-on (single sign-on (SSO)). This feature lets users access multiple accounts and applications with a single password, eliminates the need for multiple passwords, and simplifies management of user accounts and passwords for system administrators.

Oracle Advanced Security single sign-on authenticates the user once upon initial connection, with strong authentication occurring transparently in subsequent connections to other databases or services. Using single sign-on, users can access multiple accounts and applications with a single password. Oracle Advanced Security supports many forms of single sign-on, including Kerberos and CyberSafe.

Oracle Advanced Security also provides SSL-based single sign-on for Oracle users by integrating with LDAP v3-compliant directory services. The combination of integrated directory services and Oracle's PKI implementation enable SSL-based single sign-on to Oracle9i databases. Single sign-on lets users be authenticated once, with subsequent connections relying on the user's digital certificate.

This enhances ease-of-use for users, and provides centralized management to security administrators.


User authorization, a function of Oracle9i roles and privileges, is significantly enhanced by using the authentication methods supported by Oracle Advanced Security. For example, on certain operating systems, such as Solaris, Oracle Advanced Security supports authorization with DCE.

Authorizations are also provided by Oracle Advanced Security Enterprise User Security (See: Chapter 15, Managing Enterprise User Security). Oracle Advanced Security can integrate with LDAP version 3-compliant directories to centrally manage users and authorizations. Your Oracle Advanced Security license entitles you to deploy Oracle Internet Directory for user management as well as authorization storage and retrieval. You must license Oracle Internet Directory separately if you use it for additional purposes.

Oracle Advanced Security Architecture

Oracle Advanced Security is an add-on product that complements an Oracle server or client installation. Figure 1-2 shows the Oracle Advanced Security architecture within an Oracle networking environment.

Figure 1-2 Oracle Advanced Security in an Oracle Networking Environment

Text description of asoag013.gif follows.

Text description of the illustration asoag013.gif

Oracle Advanced Security supports authentication through adapters that are similar to the existing Oracle protocol adapters. As shown in Figure 1-3, authentication adapters integrate below the Oracle Net interface and let existing applications take advantage of new authentication systems transparently, without any changes to the application.

Figure 1-3 Oracle Net with Authentication Adapters

Text description of ano81005.gif follows.

Text description of the illustration ano81005.gif

See Also:

Oracle9i Net Services Administrator's Guide, for more information about stack communications in an Oracle networking environment

Secure Data Transfer Across Network Protocol Boundaries

Oracle Advanced Security is fully supported by Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for example, can securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.

System Requirements

Oracle Advanced Security is an add-on product bundled with the Oracle Net Server or Oracle Net Client. It must be purchased and installed on both the client and the server.

Oracle Advanced Security Release 2 (9.2) requires Oracle Net Release 2 (9.2) and supports Oracle9i Enterprise Edition. Table 1-3 lists additional system requirements.


Oracle Advanced Security is not available with Oracle9i Standard Edition.

Table 1-3 Authentication Methods and System Requirements
Authentication Method System Requirements

Cybersafe Active Trust

  • CyberSafe GSS Runtime Library, version 1.1 or later, installed on both the machine that runs the Oracle client and on the machine that runs the Oracle server.
  • Cybersafe Active Trust, release 1.2 or later, installed on a physically secure machine that runs the authentication server.
  • Cybersafe Active Trust Client, release 1.2 or later, installed on the machine that runs the Oracle client.


  • MIT Kerberos Version 5, release 1.1
  • The Kerberos authentication server must be installed on a physically secure machine.


  • A RADIUS server that is compliant with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting.
  • To enable challenge-response authentication, you must run RADIUS on an operating system that supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft.


  • A wallet that is compatible with the Oracle Wallet Manager version 2.1. Wallets created in earlier releases of the Oracle Wallet Manager are not forward compatible.


  • Entrust IPSEC Negotiator Toolkit Release 5.0.2
  • Entrust/PKI 5.0.2

Oracle Advanced Security Restrictions

Oracle Applications support Oracle Advanced Security encryption and data integrity. However, because Oracle Advanced Security requires Oracle Net Services to transmit data securely, Oracle Advanced Security external authentication features are not supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on Microsoft Windows. The portions of these products that use Oracle Display Manager (ODM) do not take advantage of Oracle Advanced Security, since ODM does not use Oracle Net Services.

Go to previous page Go to next page
Copyright © 1996, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Go To Product List
Book List
Go To Table Of Contents
Go To Index

Master Index