测试环境:
11.2.0.4 winodows 单机
应用场景:
对oracle服务器和客户端之间的网络传输数据进行加密和完整性校验。
默认是使用明文方式传输数据,举例可以通过wireshark、sniffer等网络抓包工具抓取到传输的具体信息。
对于敏感信息是很不安全的。
举例:
对于汉字可以通过很多在线转换工具将HEX编码转换成可读汉字。
对于了解业务的人来说,这些信息是很有价值的。
客户端存在两种模式:
1、通过oracle客户端软件连接数据库
2、通过jdbc驱动连接oracle数据库
通过oracle客户端的情况:
启用传输加密和校验的主要方法是通过服务器端和客户端的sqlnet.ora文件实现。
配置方法:
理论上需要在数据库server端和oracle客户端都修改sqlnet.ora文件,但因为client端默认传输加密级别是ACCEPTED,默认一致性校验级别是ACCEPTED,所以只需要在服务器端设置如下参数就可以打开传输加密和一致性校验功能,而不需要再对client端的sqlnet.ora进行设置(知识拓展部分介绍)。
在oracle服务器端编辑sqlnet.ora文件,添加参数:
SQLNET.ENCRYPTION_SERVER = REQUIRED ----加密级别
SQLNET.ENCRYPTION_TYPES_SERVER = RC4_256 ----加密算法
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED --- 一致性能校验
设置参数后对新建立的session起作用。
加密后抓取的包不再是明文的:
对于jdbc连接的情况:
需要写代码,不是很懂,不做验证,大体格式如下:
For example:
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver()); Properties props = new Properties(); props.put("oracle.net.encryption_client", "accepted"); props.put("oracle.net.encryption_types_client", "RC4_128");
props.put("oracle.net.crypto_checksum_client", "REQUIRED"); //此行根据官方文档写,未作验证
props.put("oracle.net.crypto_checksum_types_client","MD5"); //此行根据官方文档格式写,未作验证
props.put("user", "XXX"); props.put("password", "YYY"); Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@myhost:1521:mySID", props);
REQUESTED
REQUIRED
ACCEPTED
REJECTED
Table 4-2 Encryption and Data Integrity Negotiations
Client Setting | Server Setting | Encryption and Data Negotiation |
---|---|---|
REJECTED |
REJECTED |
OFF |
ACCEPTED |
REJECTED |
OFF |
REQUESTED |
REJECTED |
OFF |
REQUIRED |
REJECTED |
Connection fails |
REJECTED |
ACCEPTED |
OFF |
ACCEPTED |
ACCEPTED |
OFFFoot 1 |
REQUESTED |
ACCEPTED |
ON |
REQUIRED |
ACCEPTED |
ON |
REJECTED |
REQUESTED |
OFF |
ACCEPTED |
REQUESTED |
ON |
REQUESTED |
REQUESTED |
ON |
REQUIRED |
REQUESTED |
ON |
REJECTED |
REQUIRED |
Connection fails |
ACCEPTED |
REQUIRED |
ON |
REQUESTED |
REQUIRED |
ON |
REQUIRED |
REQUIRED |
ON |
REQUESTED
REQUIRED
ACCEPTED
REJECTED
Algorithm | None | MD5 | SHA-1 | |||
---|---|---|---|---|---|---|
Time | %None | Time | %None | Time | %None | |
None | 79.6 s | 80.5 s | 101% | 82.4 s | 104% | |
DES | 104.7 s | 132% | 107.1 s | 135% | 108.2 s | 136% |
3DES168 | 151.8 s | 191% | 153.9 s | 193% | 155.6 s | 196% |
AES128 | 88.8 s | 112% | 90.5 s | 114% | 92.1 s | 116% |
AES256 | 91.8 s | 115% | 93.5 s | 117% | 94.2 s | 118% |
RC4_128 | 81.6 s | 103% | 82.5 s | 104% | 85.0 s | 107% |
RC4_256 | 81.7 s | 103% | 82.8 s | 104% | 85.0 s | 107% |
http://docs.oracle.com/cd/B19306_01/network.102/b14268/asojbdc.htm#i1006209
http://www.orafaq.com/wiki/Network_Encryption
http://www.toadworld.com/platforms/oracle/w/wiki/1719.sqlnet-ora-parameters