Oracle® Database Advanced Security Administrator's Guide 11g Release 2 (11.2) Part Number E10746-01 |
|
|
View PDF |
This section describes new features of Oracle Advanced Security 11g Release 2 (11.2) and provides pointers to additional information.
This release includes the following new features:
Enhanced TDE Tablespace Encryption
Oracle Database 11g Release 2 (11.2) implements the following enhancements to TDE Tablespace Encryption:
A unified master encryption key is used for both Transparent Data Encryption (TDE) Column Encryption and TDE Tablespace Encryption.
The unified master encryption key can optionally be stored in a hardware security module. This enables you to use the TDE Tablespace Encryption feature along with hardware security modules.
You can reset (rekey
) the unified master encryption key. This provides enhanced security and helps meet security and compliance requirements.
See Also:
"Encrypting Entire Tablespaces"Internet Protocol Version 6 (IPv6) Support
Oracle Advanced Security fully supports Internet Protocol Version 6 (IPv6) networks.
Kerberos Enhancements
The Oracle Kerberos authentication mechanism now supports the Microsoft Windows Server 2003 constrained delegation feature. The middle tier can use the Kerberos adapter to authenticate to the Oracle Database without providing the user's forwarded Kerberos credentials.
A user can authenticate to the middle tier using a non-Kerberos authentication mechanism. The middle tier authenticates to the backend Oracle Database using the Kerberos authentication mechanism on behalf of the user.
See Also:
Microsoft documentation for more information on the Microsoft Windows Server 2003 constrained delegation featureThis release includes the following new features:
Enhanced Transparent Data Encryption
Transparent Data Encryption enables you to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications.
Oracle Advanced Security uses industry standard encryption algorithms including AES and 3DES to encrypt columns that have been marked for encryption. Key Management is handled by the database. SQL interfaces to Key Management hide the complexity of encryption.
You can now encrypt entire tablespaces using Tablespace Encryption. All objects created in the encrypted tablespace are automatically encrypted. See "TDE Tablespace Encryption" in for more information.
Transparent Data Encryption now enables you to use a hardware security module (HSM) to store the master encryption key. This allows for enhanced security. See "Using Hardware Security Modules with TDE" for more information.
See Also:
"Supported Encryption Algorithms" for more information on the encryption algorithms that are supported.Chapter 3, "Securing Stored Data Using Transparent Data Encryption" for more information on implementing and using Transparent Data Encryption.
Kerberos authentication is more secure and manageable
The Kerberos implementation now makes use of secure encryption algorithms like 3DES
and AES
in place of DES
. This makes using Kerberos more secure. The Kerberos authentication mechanism in Oracle Database now supports the following encryption types:
DES3-CBC-SHA
(DES3
algorithm in CBC
mode with HMAC-SHA1
as checksum)
RC4-HMAC
(RC4
algorithm with HMAC-MD5
as checksum)
AES128-CTS
(AES
algorithm with 128-bit key in CTS
mode with HMAC-SHA1
as checksum)
AES256-CTS
(AES
algoritm with 256-bit key in CTS
mode with HMAC-SHA1
as checksum)
The Kerberos implementation has been enhanced to interoperate smoothly with Microsoft and MIT Key Distribution Centers.
The Kerberos prinicipal name can now contain more than 30 characters. It is no longer restricted by the number of characters allowed in a database user name.
Note:
In this release, the features of Multiplexing and Connection Pooling do not work with SSL transport. Refer to Oracle Database JDBC Developer's Guide and Reference for details of encryption support available in JDBC.