Campamentos eventuales: pernoctaciones y asedios

Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-3

Implementation Overview

On the server side, the negotiation of algorithms and the generation of keys function exactly the same as Oracle Advanced Security native encryption. This enables backward and forward compatibility of clients and servers.

On the client side, the algorithm negotiation and key generation occur in exactly the same manner as OCI clients. The client and server negotiate encryption algorithms, generate random numbers, use Diffie-Hellman to exchange session keys, and use the Oracle Password Protocol, in the same manner as the traditional Oracle Net clients. Thin JDBC contains a complete implementation of a Oracle Net client in pure Java.

Obfuscation

The Java cryptography code is obfuscated. Obfuscation protects Java classes and methods that contain encryption and decryption capabilities with obfuscation software.

Java byte code obfuscation is a process frequently used to protect intellectual property written in the form of Java programs. It mixes up Java symbols found in the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, obfuscated Java code is sufficiently difficult to decompile to satisfy U.S.

government export controls.

Configuration Parameters

A properties class object containing several configuration parameters is passed to the Oracle Advanced Security interface.

All JDBC connection properties including the ones pertaining to Oracle Advanced Security are defined as constants in the oracle.jdbc.OracleConnection interface. The following list enumerates some of these connection properties:

■ CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter ■ CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter ■ CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter ■ CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter ■ CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter

CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter

This parameter defines the level of security that the client wants to negotiate with the server. Table 10–1 describes this parameters attributes.

See Also: Oracle Database JDBC Developer's Guide and Reference for detailed information on configuration parameters and configuration examples

Table 10–1 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Attributes

Attribute Description

Configuration Parameters

CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter

This parameter defines the encryption algorithm to be used. Table 10–2 describes this parameter's attributes.

CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter

This parameter defines the level of security that it wants to negotiate with the server for data integrity. Table 10–3 describes this parameter's attributes.

Parameter Class Static

Permitted Values REJECTED; ACCEPTED; REQUESTED; REQUIRED

Default Value ACCEPTED

Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_LEVEL,level);

where prop is an object of the Properties class

Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_LEVEL,"REQUIRED");

where prop is an object of the Properties class

Table 10–2 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Attributes

Attribute Description

Parameter Type String Parameter Class Static

Permitted Values AES256 (AES 256-bit key), AES192 (AES 192-bit key), AES128

(AES 128-bit key), 3DES168 (3-key 3DES), 3DES112 (2-key 3DES) Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_

THIN_NET_ENCRYPTION_TYPES,algorithm);

where prop is an object of the Properties class

Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_TYPES, "( AES256, AES192 )");

where prop is an object of the Properties class

Table 10–3 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Attributes

Attribute Description

Parameter Type String Parameter Class Static

Permitted Values REJECTED; ACCEPTED; REQUESTED; REQUIRED

Default Value ACCEPTED

Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_LEVEL,level);

where prop is an object of the Properties class

Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_LEVEL,"REQUIRED");

where prop is an object of the Properties class

Table 10–1 (Cont.) CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL

Configuration Parameters

Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-5

CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter

This parameter defines the data integrity algorithm to be used. Table 10–4 describes this parameter's attributes.

CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter

This parameter determines the authentication service to be used. Table 10–5 describes this parameter’s attributes.

AnoServices Constants

The oracle.net.ano.AnoServices interface has been updated in this release to include the names of all the encryption, authentication, and checksum algorithms supported by the JDBC Thin driver. The following constants have been added to the oracle.net.ano.AnoServices interface:

// ---- SUPPORTED ENCRYPTION ALG ---

public static final String ENCRYPTION_3DES112 = "3DES112"; public static final String ENCRYPTION_3DES168 = "3DES168"; public static final String ENCRYPTION_AES128 = "AES128"; public static final String ENCRYPTION_AES192 = "AES192"; public static final String ENCRYPTION_AES256 = "AES256"; // ---- SUPPORTED INTEGRITY ALG ----

public static final String CHECKSUM_SHA1 = "SHA1"; // ---- SUPPORTED AUTHENTICATION ADAPTORS ----

Table 10–4 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Attributes

Attribute Description

Parameter Type String Parameter Class Static Permitted Values SHA1

Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_TYPES, algorithm);

where prop is an object of the Properties class

Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_TYPES,"( SHA1 )");

where prop is an object of the Properties class

Table 10–5 CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Attributes

Attribute Description

Parameter Type String Parameter Class Static

Permitted Values RADIUS, KERBEROS, SSL

Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_AUTHENTICATION_SERVICES,authentication);

where prop is an object of the Properties class

Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_AUTHENTICATION_SERVICES,"( RADIUS, KERBEROS, SSL)");

Configuration Parameters

public static final String AUTHENTICATION_RADIUS = "RADIUS"; public static final String AUTHENTICATION_KERBEROS = "KERBEROS";

You can use these constants to set the encryption, integrity, and authentication parameters. Example 10–1 illustrates one such scenario.

Example 10–1 Using AnoServices Constants in JDBC Client Code import java.sql.*;

import java.util.Properties; import oracle.jdbc.*;

import oracle.net.ano.AnoServices; /**

* JDBC thin driver demo: new security features in 11gR1. *

* This program attempts to connect to the database using the JDBC thin

* driver and requires the connection to be encrypted with either AES256 or AES192 * and the data integrity to be verified with SHA1.

*

* In order to activate encryption and checksumming in the database you need to * modify the sqlnet.ora file. For example:

* * SQLNET.ENCRYPTION_TYPES_SERVER = (AES256,AES192,AES128) * SQLNET.ENCRYPTION_SERVER = accepted * SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1) * SQLNET.CRYPTO_CHECKSUM_SERVER = accepted *

* This output of this program is:

* Connection created! Encryption algorithm is: AES256, data integrity algorithm * is: SHA1

* */

public class DemoAESAndSHA1 {

static final String USERNAME= "hr"; static final String PASSWORD= "hr"; static final String URL =

"jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=somehost.us.example.c om)(PORT=5561))"

+"(CONNECT_DATA=(SERVICE_NAME=itydemo.regress.rdbms.dev.us.example.com)))";

public static final void main(String[] argv) {

DemoAESAndSHA1 demo = new DemoAESAndSHA1(); try { demo.run(); }catch(SQLException ex) { ex.printStackTrace(); } }

void run() throws SQLException {

OracleDriver dr = new OracleDriver(); Properties prop = new Properties();

// We require the connection to be encrypted with either AES256 or AES192. // If the database doesn't accept such a security level, then the connection // attempt will fail.

Configuration Parameters

Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-7

OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL,AnoServices.ANO_ REQUIRED); prop.setProperty( OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES, "( " + AnoServices.ENCRYPTION_AES256 + "," +AnoServices.ENCRYPTION_AES192 + ")");

// We also require the use of the SHA1 algorithm for data integrity checking. prop.setProperty( OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL,AnoServices.ANO_ REQUIRED); prop.setProperty( OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES, "( " + AnoServices.CHECKSUM_SHA1 + " )"); prop.setProperty("user",DemoAESAndSHA1.USERNAME); prop.setProperty("password",DemoAESAndSHA1.PASSWORD); OracleConnection oraConn = (OracleConnection)dr.connect(DemoAESAndSHA1.URL,prop);

System.out.println("Connection created! Encryption algorithm is: "+oraConn.getEncryptionAlgorithmName()

+", data integrity algorithm is: "+oraConn.getDataIntegrityAlgorithmName());

oraConn.close(); }

}

Part IV

Part IV

Oracle Advanced Security Strong