Skip Headers
Oracle® Database Advanced Security Guide
12c Release 1 (12.1)

Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub


actual data

In Oracle Data Redaction, the data in a protected table or view. An example of actual data could be the number 123456789, and the redacted data version of this number could appear to the user, depending on the Data Redaction policy, as 999996789.

auto-login software keystore

A software keystore that is protected by a system-generated password and does not need to be explicitly opened by a security administrator. Auto-login software keystores are automatically opened when accessed and can be used across different systems.

See also local auto-login software keystore.

cipher suite

A set of authentication, encryption, and data integrity algorithms used to exchange messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.


Message text that has been encrypted.

See also encrypted text.

data redaction

The ability to mask data with different values. Oracle Data Redaction enables you to mask data in real time, that is, at the moment a user tries to access the data. You can mask all of the data, a partial subset of the data, or display random values in place of the data.

See also redaction.


The process of converting an encrypted message (the ciphertext), back to its original message (plaintext).

dictionary attack

A common attack on passwords. In any well designed password-based authentication system, the actual passwords of the users are never stored on the server. Instead, the server stores the hashes of the passwords, which are difficult to invert. Thus, if the server is compromised and the password hashes leak out, then it is still difficult for an intruder to get to the actual passwords.

A dictionary attack is a common attack on passwords that takes advantage of the fact that many passwords are based on real dictionary words (thus the name dictionary attack). The intruder creates a list of common passwords and computes the hash of each. Later, when the intruder somehow gets access to the password hashes, the intruder compares these to the precomputed hashes. If there is a match, then it is likely that the actual password is the same as the password that the intruder hashed to the same value.

The intruder can precompute the table of hashes, which is usually called a rainbow table, because the hash depends only on the password. To guard against this, add salt to the password before hashing. This makes it infeasible to precompute the table.

encrypted text

Text that has been encrypted, using an encryption algorithm; the output stream of an encryption process. The text is not readable or decipherable, without first being subject to decryption. Also called ciphertext. Encrypted text ultimately originates as plaintext.


The process of converting an original message (plaintext) to an encrypted message (ciphertext).

Disguising a message, rendering it unreadable to all except for the intended recipient.

hardware keystore

A container that stores a Transparent Data Encryption key for a hardware security module.

See also keystore.

hardware security module

A physical device that provides secure storage for encryption keys.

See also hardware keystore.


A query that is designed to find data by repeatedly trying queries. For example, to find the users who earn the highest salaries, an intruder could use the following query:


FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Steven               King                           24000
Neena                Kochhar                        17000
Lex                  De Haan                        17000

key pair

A public key and its associated private key. See public and private key pair.


A container that stores a Transparent Data Encryption key. In previous releases, this container was referred to as a wallet.

See also auto-login software keystore, hardware keystore, and local auto-login software keystore.

local auto-login software keystore

A software keystore that is local and restricted to the computer on which it was created for which it was created.

See also auto-login software keystore.


The ability to hide data from a user.

See also Oracle Data Redaction.

Oracle Data Redaction

A set of features that enables you to mask data in realtime, using either full masking, partial masking, random masking, or no masking.

See also actual data, redacted data, and redaction.

password-based software keystore

A software keystore that must be opened with a password before it can be accessed.

See also keystore.


Message text that has not been encrypted.

private key

In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures.

See public and private key pair.

public key

In public-key cryptography, this key is made public to all. It is primarily used for encryption but can be used for verifying signatures.

See public and private key pair.

public key encryption

The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key.

public and private key pair

A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data enwrapped with a private key cannot be decrypted with the same private key.

public key infrastructure (PKI)

Information security technology utilizing the principles of public key cryptography. Public key cryptography involves encrypting and decrypting information using a shared public and private key pair. Provides for secure, private communications within a public network.

redacted data

In an Oracle Data Redaction policy, masked data that is displayed to the querying user. For example, if the actual data is 3714-4963-5398-431, then the redacted data could appear, depending on the Data Redaction policy, as XXXX-XXXX-XXXX-431.


In an Oracle Data Redaction policy, the action the server performs on the actual data, in order to present redacted data to the querying user.

See also data redaction.


In cryptography, a way to strengthen the security of encrypted data. Salt is a random string that is added to the data before it is encrypted, making it more difficult for attackers to steal the data by matching patterns of ciphertext to known ciphertext samples. Salt is often also added to passwords, before the passwords are hashed, to avoid dictionary attacks, a method that unethical hackers (attackers) use to determine sensitive passwords. The addition of salt to a password before hashing makes it more difficult for intruders to match the hash values (sometimes called verifiers) with their dictionary list of common password hash values, because they do not know the salt beforehand.

See also dictionary attack.

single sign-on (SSO)

Enables a user to access multiple accounts and applications with a single password, entered during a single connection. The goal is single password, single authentication.

software keystore

A container that stores a Transparent Data Encryption TDE master encryption key for use as an auto-login software keystore, a local auto-login software keystore, or a password-based software keystore.

sqlnet.ora file

A configuration file for the client or server that specifies:

  • Client domain to append to unqualified service names or net service names

  • Order of naming methods the client should use when resolving a name

  • Logging and tracing features to use

  • Route of connections

  • Preferred Oracle Names servers

  • External naming parameters

  • Oracle Advanced Security parameters

The sqlnet.ora file typically resides in $ORACLE_HOME/network/admin on UNIX platforms and in ORACLE_BASE\ORACLE_HOME\network\admin on Windows platforms.

tablespace encryption key

An encryption key that resides in the tablespace that was encrypted. The TDE master encryption key encrypts the tablespace encryption key, which in turn encrypts and decrypts data in the tablespace.

TDE master encryption key

A key that is stored within a software keystore or a hardware keystore. For table encryption, this key encrypts the TDE table key, and for tablespace encryption, it encrypts the tablespace encryption key.

The TDE master encryption key determines the ciphertext that a given algorithm produces from given plaintext. When decrypting data, a key is a value required to correctly decrypt a ciphertext back to the corresponding plaintext. A ciphertext is decrypted correctly if, and only if, the correct key is supplied.

With a symmetric encryption algorithm, the same key is used for both encryption and decryption of the same data. With an asymmetric encryption algorithm (also called a public-key encryption algorithm or public-key cryptosystem), different keys are used for encryption and decryption of the same data.

See also keystore.

TDE table key

An encryption key that is associated with a table whose columns are marked for encryption. The TDE master encryption key encrypts the table encryption key, which in turn encrypts data in the table.


A data structure used to store and manage security credentials for an individual entity. A Wallet Resource Locator (WRL) provides all of the necessary information to locate the wallet. For Transparent Data Encryption, the term for wallet is keystore.

wallet obfuscation

The ability to store and access an Oracle wallet without querying the user for a password before access (supports single sign-on (SSO)).

Wallet Resource Locator (WRL)

A tool that provides all of the necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet.