encryption database in oracle

8/12/2019 Encryption Database in Oracle

1/80

M ha csdliu trong Oracle

SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin i

MC LC

MC LC ......................................................................................................... I

DANH MC CC CHVIT TT ..........................................................IIIDANH MC CC BNG ............................................................................ IVDANH MC CC HNH V ....................................................................... VCHNG 1: CBN VM HA ........................................................... 1

1.1. Gii thiu ............................................................................................. 11.2. La chn m ha .................................................................................. 21.3. Thut ton m ha v kha .................................................................. 31.4. Cc phng php m ha ..................................................................... 3

1.4.1. Qu trnh m ha kha i xng ................................................. 41.4.2. Qu trnh m ha kha cng khai ................................................ 5

CHNG 2: TNG QUAN VM HA CSDLIU ................... 92.1. Tm tt ngn gn vcsdliu ....................................................... 9

2.1.1. nh ngha csdliu (DataBase) ........................................... 92.1.2. u im ca csdliu ........................................................... 92.1.3. Nhng vn m CSDL cn phi gii quyt .............................. 9

2.1.4. Cc i tng sdng CSDL .................................................... 102.1.5. Hqun trcsdliu (Database Management System) ...... 112.1.6. Cc ng dng ca csdliu ................................................. 12

2.2. An ton thng tin trong csdliu ................................................ 122.2.1. Ti sao phi bo vcsdliu .............................................. 122.2.2. Cc tn cng vo csdliu .................................................. 132.2.3. Cc phng php bo vcsliu ........................................... 152.2.4. p dng m ha ......................................................................... 16

2.3. Cc mc m ha (Encryption Level) ................................................. 162.3.1. M ha mc lu tr(Storage-Level Encryption) ...................... 162.3.2. M ha mc hqun trcsdliu (DBMS-LevelEncryption) ........................................................................................... 172.3.3. M ha mc ng dng (Application-Level Encryption) ........... 172.3.4. Thut ton m ha v chhot ng .................................... 182.3.5. Qun l kha .............................................................................. 19

CHNG 3: M HA CSDLIU TRONG HQT ORACLE 9I 223.1. Gii thiu vhqun trcsdliu Oracle 9i ............................... 22

3.1.1. Lch spht trin ca Oracle ..................................................... 22


2/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin ii

3.1.2. u im ca Oracle ................................................................... 243.2. Gii php m ha dliu lu trtrong Oracle 9i .............................. 25

3.2.1. Cc khnng m ha dliu ca Oracle 9i .............................. 25

3.2.2. Cc thch thc ca m ha dliu ............................................ 41CHNG 4: TRIN KHAI M HA TRN CSDL NHN VIN ....... 494.1. Bng nhn vin .................................................................................. 494.2. Thit klc m ha cho bng nhn vin .................................... 514.3. Cc bc trin khai ............................................................................ 53

4.3.1. To ngi dng SA .................................................................... 544.3.2. Xy dng package m ha/gii m ............................................ 544.3.3. M ha/gii m dliu .............................................................. 54

4.3.4. Xl qu trnh thm, cp nht v xa nhn vin ...................... 574.3.5. Qun l kha .............................................................................. 574.3.6. Qun l ngi dng truy cp dliu r..................................... 57

4.4. Kt qukim tra ................................................................................. 584.5. nh gi lc m ha bng nhn vin.......................................... 61

KT LUN .................................................................................................... 63TI LIU THAM KHO ............................................................................ 64PHLC ....................................................................................................... 65

A. Ngi dng SA ...................................................................................... 65B. Gi CRYPT_UTIL ................................................................................ 65C. Khung nhn NhanVien_vw .................................................................... 67D. Trigger NhanVien_vw_trg .................................................................... 68


3/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin iii

DANH MC CC CHVIT TT

AES Advanced Encryption Standard

ANSI American National Standards InstituteCBC Cipher-Block Chaining

DAC Discretionary Access Control

DBA Database Administrator

DBMS Database Management System

DCL Data Control Language

DDL Data Description LanguageDEA Encryption Standard Algorithm

DES Data Encryption Standard

DML Data Manipulation Language

ECB Electronic Codebook

FW Firewall

HSM Hardware Security Module

IDS Intrusion Detection System

ISO International Organization for Standardization

IV Initialization Vector

MAC Mandatory Access Control

MD Message-Digest

PL/SQLProcedural Language/Structured Query

LanguageRBAC Role-Based Access Control

RC Rivest Cipher

SA Security Administrator

SHA Secure Hash Algorithm

SQL Structured Query Language

SSL Secure Sockets Layer


4/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin iv

DANH MC CC BNG

Bng 3.1: Hot ng ca TripleDES .............................................................. 27

Bng 3.2: Cc chng trnh con ca gi DBMS_OBFUSCATION .............. 30Bng 3.3: Cc tham sca DES3DECRYPT cho dliu th ........................ 31

Bng 3.4: Cc tham sca hm v thtcDES3ENCRYPT ......................... 33

Bng 3.5: Cc tham sca hm v thtc DES3GETKEY .......................... 36

Bng 3.6: Cc tham sca hm v thtcDESDECRYPT ........................... 37

Bng 3.7: Cc tham sca hm v thtcDESENCRYPT ........................... 38

Bng 3.8: Cc tham sca hm v thtc DESGETKEY ............................ 40

Bng 3.9: Cc tham sca hm v thtc MD5 ............................................ 41

Bng 4.1: Bng nhn vin ............................................................................... 50


5/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin v

DANH MC CC HNH V

Hnh 1.1: Qu trnh m ha kha i xng ....................................................... 4Hnh 1.2: Qu trnh m ha kha cng khai ..................................................... 6Hnh 1.3: M ha kha cng khai c sdng xc thc ........................... 7Hnh 2.1: Ba ty chn cho cc mc m ha csdliu 18Hnh 2.2: Cc phng php qun l kha 20Hnh 2.3: Chlin kt khi m CBC ...................................................... 28Hnh 4.1: Bng NhanVien ............................................................................... 51Hnh 4.2: Bng Nhanvien_Ecrypt ................................................................... 51Hnh 4.3: Bng NhanVien_Key ...................................................................... 52

Hnh 4.4: To khung nhn NhanVien_Table ................................................... 53Hnh 4.5: Qu trnh m ha bng NhanVien .................................................. 55Hnh 4.6: Bng nhn vin m ha .............................................................. 55Hnh 4.7: To khung nhn NhanVien_Table ................................................... 56Hnh 4.8: Bng Nhanvien_table ...................................................................... 57Hnh 4.9: Nhn vin A xem dliu r ............................................................ 58Hnh 4.10: Select tbng NhanVien_Encrypt................................................ 59Hnh 4.11: Insert vo bng NhanVien ............................................................ 60

Hnh 4.12: Update bng NhanVien ................................................................. 61Hnh 4.13: So snh kt qum ha cc bn ghi ging nhau .......................... 62


6/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin vi

LI NI U

Vi nhiu t chc, c sd liu l mt kho tng thng tin nhy cm

cha nhiu loi d liu khc nhau, t thng tin chi tit v khch hng vthng tin cnh tranh b mt n cc thng tin shu tr tu. Mt mt hoc b

trm cp d liu, c bit l d liu ca khch hng, c thnh hng n

danh ting, bt li cnh tranh v thit hi vti chnh nghim trng.

Chnh v vy, an ton csdliu l mt u tin hng u cho cc t

chc ngy nay. Tuy nhin, cc kthut bo m an ton csdliu truyn

thng nhtng la v an ton ng dng trong nhng nm gn y bc lrt

nhiu thiu st v cc phng php bo m an ton ny khng bovcc doanh nghip v dliu trong thi i hin nay, mt mi trng cng

nghthng tin mv phc tp. Trong cc bin php bo m an ton cs

dliu m ha c coi nhl phng php phng thsu nht chng li cc

lhng an ton.

Tthc t, em chn ti M ha csdliu trong Oracle

lm n tt nghip. Mc tiu ca ti l tm hiu vcc phng php m

ha c sd liu v ng dng vo m ha mt c sd liu nh trong h

qun trOracle.

Bo co ca n ca em c chia thnh 3 chng:

- Chng 1:Cbn vm ha- Chng 2:Tng quan vm ha csdliu- Chng 3:M ha csdliu trong hqun trOracle 9i- Chng 4:Trin khai m ha trn csdliu nhn vin

Trong chng 1 gii thiu tng quan vm ha, tm quan trng ca

m ha trong vic bo vthng tin v cc phng php m ha cbn hin

nay; chng 2 trnh by vcc vn lin quan n csdliu v cc mc

c thp dng m ha bo vdliu; chng 3 trnh by khnng m ha


7/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin vii

c sd liu ca hqun trOracle; chng 4 sa ra cch p dng kh

nng m ha ca Oracle m bo an ton cho csdliu nhn vin.

Em xin chn thnh cm n sgip tn tnh ca TS. Nguyn Nam

Hiv CN. Trn ThLngn ca em c hon thnh.

Do thi gian c hn nn n ca em chc chn cn nhiu thiu st.

Em rt mong nhn c sgip , chbo ca qu thy cn ca em

c hon thin hn.

Em xin chn thnh cm n!

H Ni, Ngy 16 thng 06 nm 2010

Sinh vin

Ong ThHng


8/80


SVTH: Ong ThHng AT020128 Khoa An Ton Thng Tin 1

Chng 1

CBN VM HA

Chng ny gii thiu tng quan vm ha, tm quan trng ca m

ha trong vic bo vthng tin v cc phng php m ha cbn hin nay.

1.1. Gii thiuQu trnh m ha c lch sra i rt th v. Vic m ha c ra i

thng nghn nm trc, thm ch c th ra i t thi k quc La M.

Trong thi gian , Julius Caesar, ngi nm chnh quyn Roma ci mun

truyn thng ip ti cc vtng ca mnh trong trn a. Nhng thng ip

ny ht sc nhy cm, b mt bi n l thng ip truyn lnh chra cch bt

u mt chin dch qun smi i vi mt mc tiu no .

Nhng thng ip ny c gi i bng nhng sgia tin, v y l

mt vic ht sc mo him bi v nhng thng ip ny c thb chn bt

trc khi ti c ch. y l iu ht sc nghim trng bi v n gy tht

bi ti chin dch qun s. Chnh v vy, thut ton m ha n gin rai, v c sdng m ha nhng thng ip. Julius Caesar c bit ti

nh l ngi m ha v gii m nhng thng ip u tin. Nh vy khi

thng ip bchn bt, hoc ngi sgibmua chuc hay tra tn nhm tm

ra ni dung thng ip c m ha u c thbloi bnhphng php

ny.

Vy phi kt hp sdng m ha nh thno. iu quan trng l ta

phi hiu c bn cht ca vn . Qu trnh m ha cung cp sbo vcho

nhng dliu nhy cm c truyn trn nhng knh lin lc khng an ton.

Thng ip c m ha tnhng dliu nhy cm, sau sc sgi

a tin chuyn thng ip qua knh lin lc khng an ton (qua vng ch,

sng, ni ...).

Qu trnh m ha bo m d liu nhy cm c truyn i an ton

trn nhng knh lin lc khng tin cy.


9/80



Ngy nay, trong thgii kt ni Internet, qu trnh m ha c s

dng mt cch rng r bi v n kh ph hp trong iu kin hin nay: qu

trnh m ha s m bo truyn nhng d liu nhy cm qua mi trng

khng an ton l Internet mt cch an ton. T cng xut hin nhiuchuyn gia va c nhng kinh nghim phong ph trong cc lnh vc an ton

mng va c nhng hiu bit su rng trong lnh vc mt m. y l mt

trong nhng l do lm cho qu trnh m ha trnn phbin ngy nay.

Qu trnh m ha l qu trnh x l d liu t bn r v chuyn i

chng sang dng khng thc c. Kt qu nhn c s l d liu

c m ha, thng thng sc gi l bn m. Khi dliu c m

ha, th sau n scn c gii m tr li. Qu trnh gii m (qu trnh

thc hin nhng hnh ng ngc vi qu trnh m ha) dliu l qu trnh

a bn m trvdng ban u l bn r. Vic nghin cu hai qu trnh xl

ny c gi l mn mt m hc.

1.2. La chn m haC rt nhiu cch m ha dliu, nhng chc mt vi cch c th

em li hiu qucao. Nhiu ngi c khuyn khch vit nhng bn m ca

ring mnh, nhi Julius Caesar lm. Tuy nhin, tr phi h phi l

nhng thin ti, hoc l ngi cc k may mn, nn cho ti ginhng bn m

ca ring c nhn l ht sc t i. Ngy nay, hiu sut ca vic m ha c

nh gi da trn 1 tiu chun chung v da vo vic phn tch, xem xt

nhng thut ton m ha . Nhng thnghim l ht sc quan trng bi v

n m bo rng qu trnh m ha c thloi bc nhng sai st khng

ng c, dn ti vic nhng ngi khng c cho php c thxc nh c

ni dung thng tin nhy cm.

C mt s chun m ha m ta c th la chn, nhng trc khi bt

u la chn nhng thut ton ny sdng trong csdliu, ta cn phi

hiu c mt vi iu vqu trnh thc hin m ha.


10/80



1.3. Thut ton m ha v kham ha c s d liu c hai iu cn c t ra nh sau: l

thut ton m ha v kha m ha. Qu trnh m ha dliu din ra kh ngin nhsau: bn r sc a vo thut ton m ha. Kha m ha cng

c thm vo. Kt hp thut ton ssdng kha v nhng qu trnh logic

phc tp m ha dliu. Qu trnh gii m c tin hnh tng t, ngha

l n cng yu cu kha v thut ton gii m.

mnh ca qu trnh m ha l khng xc nh bi thut ton hoc

di ca kha. mnh ca qu trnh ny c xc nh bi chai yu t

trn. Thng thng quan nim sai cho rng, kha cng ln c ngha l thutton cng mnh hn nhng thut ton khc sdng kha c di nhhn.

Mt vi thut ton yu cu kha c di ln th mi c mnh ging nh

thut ton khc c di kha nhhn. Trong mt s trng hp th kha

vi di ln c sdng trong cng mt thut ton lm cho qu trnh m

ha trnn an ton hn.

Thch thc cn li chnh l hiu sut ca qu trnh m ha. Nu Julius

mun gi ti cho cc v tng mt thng ip c m ha, th u tin

Julius cn c cthut ton v kha mi c th m ha thng ip . Nhng

nghin cu ca mt m hc chra cho chng ta thy rng i vi cc thut

ton hin nay chcn khm ph mt im mu cht chnh l kha. Nhng

thut ton ph bin khng h tr k tn cng tm ra c nhng thng tin

nhy cm. R rng nhng thut ton ny dng nh l nhng cng c an

ninh tt, ngai trrc ri ti tnhng ktn cng xc nh trc.

1.4. Cc phng php m haBa phng php m ha sc trnh by bao gm:

Mt m i xng: Sdng mt kha duy nht cho cvic m hav gii m.

Mt m bt i xng: Sdng mt kha m ha v mt khakhc gii m.


11/80



Hm bm: Sdng mt php bin i ton hc m ha thngtin theo mt chiu.

1.4.1.Qu trnh m ha kha i xngNgy nay c hai loi m ha sdng. Loi u tin c tn gi l m

ha kha i xng. Thut ton v kha trong m ha kha i xng c s

dng ctrong qu trnh m ha v gii m, chng i xng vi nhau. Thng

ip c m ha bng mt kha v c gii m cng chnh bng kha .

Hnh 1.1: Qu trnh m ha kha i xng

Thut ton kha i xng m bo an ninh cao v em li hiu sut ln

trong cqu trnh m ha v gii m thng tin. Mt vi thut ton kha i

xng phbin l RC4, RC5, DES, 3-DES v AES. Bi v nhng thut tonm ha ny mnh v em li hiu sut cao nn chng thng c sdng

m ha slng thng tin ln.

Cc m php i xng hin nay chia thnh hai loi: m khi v m

dng. M khi m ha mt on vi bit ca dliu mt lc, trong khi m

dng m ha mt bit mt nhlung dliu chuyn qua. Khi m khi phi m

ha d liu c kch cdi hn mt khi, th u tin d liu phi c

chia thnh cc khi c kch cph hp, v sau thut ton m ha c p


12/80



dng cho mi khi. C vi chhot ng chra cch m cc khi c

x l. Cc chcho php mt thut ton sdng mt cch an ton trong

nhiu tnh hung. Bng cch la chn mt chthch hp, mt m khi c

thsdng nhm dng.

u im ca m dng trong m ha d liu l khng cn phi thm

phn m. Vi cc m khi hot ng trn mt kch thc cnh, th cc

khi dliu c kch thc nhhn phi c thm phn m. M dng trnh

c iu ny, v khi dng dliu kt thc, vic m ha cng kt thc.

Khi hai ngi mun sdng thut ton kha i xng, hcn thit lp

trc kha chung v cch truyn kha m bo an ton. Khi hai bn bitnhau, c thh bit kha ca nhau, nhng hai bn cha tng gp g

nhng gimun trao i dliu mt cch an ton, ny sinh thch thc l

vn trao i kha. Bn khng thchuyn kha cng vi bn r v nhth

ktn cng spht hin ra. Nu bn m ha kha, bn li phi sdng mt

kha khc m ha, t spht sinh thm vn mi. Trc nhng thc

y cn pht trin , mt qu trnh m ha khc c ra i, l qu trnh

m ha kha bt i xng hay cn gi l qu trnh m ha kha cng khai.

1.4.2.Qu trnh m ha kha cng khaiTrong qu trnh m ha kha cng khai, c hai kha to thnh mt cp

hot ng mt cch bsung. Thut ton m ha kha cng khai l thut ton

o ngc. Nu mt kha thc hin m ha th kha kia thc hin qu trnh

gii m v ngc li. Hn na, mc d bit c thut ton v mt kha trong

cp kha th ktn cng cng khng thxc nh kha cn li v gii m dliu.

Trong qu trnh m ha kha cng khai, mt kha sc gi l kha

cng khai, kha kia sc gi l kha ring.

D liu c m ha vi kha cng khai v c gii m bng kha

ring.


13/80



Kha ring v kha cng khai c s dng m t thut ng

kha, bi v kha cng khai c thc bit bi nhiu ngi, cn kha

ring c gi b mt, v ch c ngi s hu mi c th bit. Chng no

kha ring c cn gib mt, th qu trnh m ha kha cng khai cn hotng tt.

Do vy Qu trnh m ha kha cng khai gii quyt c vn phn

phi kha. hai bn c th trao i vi nhau, hcn phi bit c kha

cng khai ca bn kia. Hnh 2 m tcch m ha kha cng khai gi thng

ip b mt gia hai bn lin lc. m bo rng ngi nhn (l Alice trong

hnh 1.2) c thnhn c ng thng ip, th thng ip ny phi c m

ha bng kha cng khai ca Alice. V chAlice mi c thgii m c

thng ip bi v chc kha ring ca Alice mi c thgii m c thng

ip c m ha bng kha cng khai ca c ta. Cgng gii m thng

ip vi kha ring khng chnh xc l iu khng tng.

Kha cng khai khng thsdng gii m thng ip c, d cho

n c m ha cng vi thng ip.

Hnh 1.2: Qu trnh m ha kha cng khai

Ngoi ra, kha ring c sdng nh l mt phng php xc thc

i vi ngi gi. Nhhnh 1.3 m tngi gi c thm ha thng ip


14/80



bng kha ring ca h. Ngi nhn sdng kha cng khai ca ngi gi

gii m thng ip. Nu thng ip c gii m th ngi gi c xc

thc bi v chc ngi gi mi c thsdng kha ring ca hm ha

thng ip.

Hnh 1.3: M ha kha cng khai c sdng xc thc

ng tic l thut ton m ha kha cng khai yu cu kha c kch

thc ln c thc cng mnh nhkhi m ha vi kha i xng. Do

vy thut ton kha cng khai thc hin chm hn ng thi cng thc hin

tnh ton phc tp hn so vi thut ton kha i xng.

Ngy nay, m ha kha cng khai v m ha kha i xng c s

dng song song nhl 1 thnh phn ca giao thc mng SSL. Giao thc SSL

l k thut m ha d liu ph bin trn mng Internet. chuyn d liu

gia 2 bn, kha cng khai c sdng m ha kha i xng. Trong

hnh 1.2 v 1.3 thng ip b mt thc schnh l kha ring.

1.4.3.Hm bm mt mMt hm bm mt m, cn c gi l mt tm lc thng bo, ging

nhdu tay ca dliu. Thut ton hm bm mt m nn mt lng dliu

ln thnh mt gi trnhduy nht. iu khc bit quan trng ca hm bm

mt m vi cc hm bm khc l gn nhkhng thtnh ton c dliu

gc tgi trbm hoc tm bn dliu khc c gi trbm ging nhvy.


15/80


16/80



Chng 2

TNG QUAN VM HA CSDLIU

Chng ny em strnh by cc khi nim cbn ca csdliu v

hqun trcsdliu, vai tr ca n trong mi trng cng nghthng tin

hin nay. T sa ra cc nguy cmt an ton i vi mt csdliu,

v tm hiu cc mc c thp dng m ha bo vcsdliu lu tr.

2.1. Tm tt ngn gn vcsdliu2.1.1.nh ngha csdliu (Database)

Csdliu (CSDL) l mt hthng cc thng tin c cu trc c

lu trtrn cc thit bnhbng t, a t, c ththomn yu cu khai

thc ng thi ca nhiu ngi sdng.

CSDL gn lin vi i s, logic ton v mt slnh vc khc.

2.1.2.u im ca csdliu- Gim s trng lp thng tin xung mc thp nht v do bo m

c tnh nht qun v ton vn dliu.

- m bo dliu c thtruy xut theo nhiu cch khc nhau.- Khnng chia sthng tin cho nhiu ngi sdng.

2.1.3.Nhng vn m CSDL cn phi gii quyt- Tnh chquyn ca dliuTnh chquyn ca dliu c thhin phng din an ton dliu,

khnng biu din cc mi lin hngngha ca dliu v tnh chnh xc

ca dliu. iu ny c ngha l ngi khai thc CSDL phi c nhim vcp

nht cc thng tin mi nht ca CSDL.

- Tnh bo mt v quyn khai thc thng tin ca ngi sdng


17/80



Do c nhiu ngi c php khai thc d liu mt cch ng thi, nn

cn thit phi c mt cchbo mt v phn quyn hn khai thc CSDL. Cc

hiu hnh nhiu ngi sdng hay hiu hnh mng cc bu c cung

cp cchny.

- Tranh chp dliuNhiu ngi c php truy nhp cng mt lc vo ti nguyn dliu ca

CSDL vi nhng mc ch khc nhau, do cn thit phi c mt cchu

tin khi truy nhp dliu. Cchu tin c thc thc hin bng vic cp

quyn u tin cho tng ngi khai thc.

- m bo an ton dliu khi c scVic qun l dliu tp trung c thlm tng khnng mt mt hoc sai

lch thng tin khi c scnhmt in t xut, hay mt phn a lu tr

CSDL bh, mt shiu hnh mng c cung cp dch vsao lu nh

a cng, tng kim tra v khc phc li khi c sc. Tuy nhin, bn cnh

dch vca hiu hnh, m bo CSDL lun n nh, mt CSDL nht

thit phi c mt cchkhi phc dliu khi c cc scbt ngxy ra.

2.1.4.Cc i tng sdng CSDL- Nhng ngi s dng CSDL khng chuyn v lnh vc tin hc v

CSDL.

- Cc chuyn vin CSDL bit khai thc CSDL Nhng ngi ny c thxy dng cc ng dng khc nhau, phc v cho cc mc ch khcnhau trn CSDL.

- Nhng ngi qun trCSDL, l nhng ngi hiu bit vtin hc, vcc h qun tr CSDL v h thng my tnh. H l ngi t chc

CSDL, do hphi nm r cc vn kthut vCSDL c th

phc hi CSDL khi c sc. H l nhng ngi cp quyn hn khai

thc CSDL, do vy hc thgii quyt c cc vn tranh chp d

liu nu c.


18/80



2.1.5.Hqun trcsdliu (Database management system)gii quyt tt nhng vn tchc CSDL nh ni trn, cn

thit phi c nhng phn mm chuyn dng khai thc chng. Nhng phnmm ny c gi l cc hqun trCSDL. Cc hqun trCSDL c nhim

vh trcho cc nh phn tch thit kCSDL cng nhnhng ngi khai

thc CSDL. Hin nay trn th trng phn mm c nhng h qun tr

CSDL h tr c nhiu tin ch nh: MS Access, Visual Foxpro, SQL

Server Oracle,

Mi hqun trCSDL u c ci t da trn mt m hnh dliu

cth. D l da trn m hnh dliu no, mt hqun trCSDL cng phihi tcc yu tsau:

- Ngn nggiao tip gia ngi sdng v CSDL, bao gm :Ngn ng m t d liu (DDL): cho php khai bo cu trc ca

CSDL, khai bo cc mi lin hca dliu v cc quy tc qun l p t ln

cc dliu .

Ngn ng thao tc d liu (DML): Cho php ngi s dng c th cp

nht dliu (thm/sa/xo)

Ngn ng truy vn d liu (SQL):Cho php ngi khai thc sdng

truy vn cc thng tin cn thit trong CSDL

Ngn ngqun l dliu (DCL):Cho php nhng ngi qun trhthng

thay i cu trc ca cc bng d liu, khai bo bo mt thng tin v cpquyn hn khai thc CSDL cho ngi sdng.,

- Tin dliu:Dng m tcc nh xlin kt, ghi nhn cc thnh phn cu trc ca

CSDL, cc chng trnh ng dng, mt m, quyn hn sdng,

- Cchgii quyt vn tranh chp dliu:


19/80



Mi hqun trCSDL cng c thci t mt cchring gii quyt

cc vn ny. Mt sbin php sau y thng c sdng: thnht: cp

quyn u tin cho tng ngi sdng; thhai: nh du yu cu truy xut

d liu, phn chia thi gian, ngi no c yu cu trc th c quyn truyxut dliu trc,

- Hqun trCSDL cng phi c cchsao lu (backup) v phc hi(restore) dliu khi c scxy ra.

iu ny c ththc hin bng cch sau mt thi gian nht nh hqun

trCSDL stng to ra mt bn sao nhng CSDL, cch ny hi tn km,

nht l i vi CSDL ln.

- Hqun trCSDL phi cung cp mt giao din thn thin, dsdng.2.1.6.Cc ng dng ca csdliu

Hin nay, hu nhCSDL gn lin vi mi ng dng ca tin hc; chng

hn nhvic qun l hthng thng tin trong cc cquan nh nc, vic lu

trv xl thng tin trong cc doanh nghip, trong cc lnh vc nghin cukhoa hc, trong cng tc ging dy, cng nhtrong vic tchc thng tin a

phng tin,

2.2. An ton thng tin trong csdliu2.2.1.Ti sao phi bo vcsdliu

Csd liu l tri tim ca mt doanh nghip. l ni lu trcc

thng tin c gi trv quan trng. D liu ca mt cng ty c thlin quann cc bn ghi ti chnh, hoc cc bn ghi khc cn thit cho sthnh cng

ca mt tchc, nhb mt thng mi, thng tin miu tvc nhn vi cc

thng tin cn c bo v.

Gi tr ca nhng thng tin nhy cm ny c th l ch ca k tn

cng. Cc tn cng thnh cng c thgy thit hi ln cho cc doanh vti

chnh, nh hng nghim trng n danh ting v quan hvi khch hng,

thm ch lm mt tnh cnh tranh, Hn na, vi mt k tn cng, khi tn


20/80



cng vo csdliu sc li hn l nghe nn giao tip trn mng. Bi v

thng thng dliu thng c m ha trn ng truyn nhng li c

lu di dng r trong csdliu.

An ton thng tin trong CSDL bao gm 3 yu t chnh: tnh b mt,

ton vnv sn sng.

- m botnh b mt (secrecy) c ngha l ngn chn/phthin/cn tr nhng truy nhp thng tin tri php. Ni chung, tnh b

mt c sdng bo vdliu trong nhng mi trng bo mt

cao nh cc trung tm qun s hay kinh t quan trng. Bo v tnh

ring tca dliu.

- m botnh ton vn (integrity) ca thng tin c ngha l ngnchn/pht hin/cn trcc sa i thng tin tri php.

- m bo tnh sn sng (availability) ca h thng c ngha lngn chn/pht hin/cn tr s t chi tri php cc truy nhp hp

php n dch vtrong hthng.

2.2.2.Cc tn cng vo csdliuDa vo vtr ca ktn cng ta c thchia cc tn cng vo csd

liu thnh 2 kiu:

- Tn cng bn trong:ktn cng l ngi bn trong tchc (bn trongtng la), hbit vkin trc ca mng.

- Tn cng bn ngoi: k tn cng phi vt qua tng la, IDS vkhng bit vkin trc ca mngKtn cng bn trong (c thgm cngi qun trca CSDL) l mi

e da cn ln hn cc tn cng bn ngoi.

a. Tn cng tnh b mtTn cng tnh b mt l loi tn cng trong , nhng ngi dng bt

hp php c kh nng truy nhp vo thng tin nhy cm ca CSDL. Kim


21/80



sot mc thp nht hc ththc hin l c CSDL. V dnhktn cng

c thkim sot ton bmy chCSDL, do anh ta c thti xung ton

bfile CSDL ri np file vo Database engine truy nhp dliu nhngi

dng bnh thng.

duy tr c tnh b mt ca dliu, chnh sch kim sot truy cp

bt buc c nh ngha trong DBMS l mt phng thc phbin c s

dng bo vCSDL. Mt chnh sch kim sot truy cp c thc hnh thc

khc nhau ty thuc vo m hnh CSDL nm di v cch xc thc c

thc thi nh: DAC, RBAC, MAC. Tuy nhin phng php kim sot truy cp

thng c cu hnh cha ng, to khe h cho nhng ngi dng mun

lm dng quyn, hoc l ktn cng c thtruy cp trc tip vo file CSDL

vt l.

Mt khnng khc lm cho k tn cng c thtruy cp d liu nhy

cm l tvic sao lu csdliu khng an ton. Ngi ta thng sao

lu cc h thng csd liu trnh cc thm ha mt mt d liu. Tuy

nhin, dliu sao lu ny thng c lu mt ni khc, nn ktn cng

c thtn cng ly trm cc thng tin nhy cm tcc dliu ny.

b. Tn cng tnh ton vny l loi tn cng gy ra nhng sa i tri php i vi thng tin

trong CSDL. thc hin c tn cng ny th k tn cng phi c kh

nng ghi vo CSDL. Do , trong loi tn cng ny ta khng lo ngi i vi

cc ktn cng c thc CSDL.

Mt stn cng tnh ton vn phbin:

Tn cng tngi qun trc Sgy hi ca cc ng dng bli Sdng ti khon nh cp c truy nhp ghi vo CSDL Khnng leo thang c quyn ca mt sti khon


22/80



2.2.3.Cc phng php bo vcsliuTrng hp CSDL lu tr thng tin nhy cm v then cht l khng

him, do cn cung cp y cc mc bo vcho ni dung ca CSDL.Cc phng php bo vsan ton cho CSDL c chia thnh 4 lp:

An ton vt l An ton hiu hnh An ton hqun trcsdliu M ha

Chsdng 3 lp u tin th khng bo m an ton cho CSDL v

d liu c lu tr dng r, dng c thc c. V vy bt k ai c

quyn truy cp ti CSDL bao gm DBA u c khnng c dliu.

Mt skthut in hnh bo vdliu trong CSDL, nhtng la,

hthng pht hin xm nhp, v kim sot truy cp. Tuy nhin tng la v

hthng pht hin xm nhp chcung cp sbo vlp mng. Kim sottruy cp cng trnn v dng khi ktn cng t c quyn truy cp vo d

liu th bng cch vt qua cc cchtruyn thng. Cc thc tn cng ny

rt ddng t c bi nhng ngi bn trong, nhngi qun trhthng

v DBA.

Mt trong nhng phng php tin bang c cc tchc kt hp

cht chgii quyt cc thch thc bc ldliu nhy cm, c bit trong

ngn hng, ti chnh, bo him, chnh phv y tl m ha CSDL.

Do , cch tt nht bo m an ton dliu trng thi nghl m

ha. M ha smang li sphng thhiu qunht bo vdliu, ng

thi bxung an ton cho cc phng php khc.


23/80



2.2.4.p dng m haVi tinh thn ca mt nguyn tc quan trng c gi l phng th

theo chiu su (v dphng thphn lp nhktn cng phi vt qua lpny n lp khc ca vic bo v), dng n cc kthut mt m bsung

v cng c vic iu khin truy cp gn y nhn c nhiu s ch t

cng ng CSDL. Mc ch ca m ha CSDL l m bo tnh khng

trong sut ca CSDL bng cch githng tin c n vi bt k ngi no

khng c thm quyn (v dkxm nhp). Thm ch k tn cng vt qua

FW v trnh cc chnh sch kim sot truy cp, th hvn khng c kha

gii m dliu.

M ha CSDL sbo vc tnh b mt v tnh ton vn ca dliu

lu tr.

M ha csdliu mang li nhng li ch sau:

- Bo m sb mt ca khc hng khi sdng cc dch vca cng ty- Phng php n gin v hiu qunht lp y cc yu cu- Bo nhm an ton dliu c gi trnht ca cng ty- Nng cao sbo van ton dliu- Gim cc ri ro an ton dliu- Bo m hot ng kinh doanh- Duy tr tnh cnh tranh- Bo m dliu outsource- Lp y cc yu cu v quy nh qun tr

2.3. Cc mc m ha (Encryption Level)2.3.1.M ha mc lu tr(Storage-Level Encryption)

M ha mc lu trchung quy l m ha dliu trong hthng lu tr

phv v vy bo vdliu lu tr(v dtnhng ktrm phng tin lu

tr). Phng php ny ph hp cho vic m ha tp tin v ton bthmc

trong phm vi hiu hnh. Tquan im CSDL, m ha mc lu trc u

im l trong sut v vy trnh c bt kthay i trong ng dng hin c.

Mt khc, v hthng phlu trkhng bit vcu trc v i tng CSDL,


24/80



nn chin lc m ha khng lin quan vi c quyn ngi dng (v d:

bng cch sdng cc kha ring bit cho ngi dng ring bit), hoc l vi

d liu nhy cm. V vy la chn m ha nn m ha ch mt phn ca

CSDL gim chi ph m ha, hn chm ha trong cc tp tin c chi titcao. Hn na, vic la chn cc tp tin m ha l mo him v cn m bo

rng khng c bn sao dliu nhy cm no cha c m ha (v dtrong

tp tin nht k, tp tin tm thi).

2.3.2.M ha mc hqun trcsdliu (DBMS-Level Encryption)M ha mc hqun trc sd liu cho php bo m d liu khi

chn hoc khi phc tCSDL. Chin lc m ha l mt phn trong thit kCSDL v c thlin quan vi dliu nhy cm v/hoc c quyn ngi s

dng. M ha chn lc c th c thc hin ti nhiu mc chi tit khc

nhau, nh l bng, ct v hng. Thm ch c th lin quan ti mt vi iu

kin logic (v dm ha lng ln hn 1000$/1 thng). Ty thuc vo mc

tch hp ca tnh nng m ha v hqun trcsdliu, qu trnh m

ha c th thay i tng dng. Hn na, m ha c thgy gim hiu sut

hqun trcsdliu v m ha thng ngn cn ngi dng ghi chstrn d liu c m ha. Thc cht nu khng s dng thut ton c th

hoc chm ha cthth vic ghi chsdliu c m ha l v ch.

Vi hai mc m ha trn, dliu c gii m trn my chCSDL khi

thc hin. V vy kha m phi c truyn hoc lu tr cng vi d liu

c m ha pha my ch, do vy hai mc m ha ny hn chtrong vic

chng li cc tn cng ca ngi qun trmy chhoc bt kkxm nhp

no chim ot quyn qun tr. Thc cht ktn cng cng c thd xt b

nhv khm ph ra kha m hoc bn r.

2.3.3.M ha mc ng dng (Application-Level Encryption)M ha mc ng dng chuyn qu trnh m ha/gii m ti ng dng

hin thdliu. V vy m ha c thc hin ng dng, dliu c gi

dng m ha, do c lu trv khi phc dng m ha mt cch t

nhin, cui cng c gii m ng dng. Phng php ny c li ch l


25/80



tch kha m vi d liu m ha c lu trong CSDL, v vy cc kha

khng bao giphi tch ri khi pha ng dng. Tuy nhin, cc ng dng cn

c iu chnh thc thi theo gii php ny. Thm vo , phthuc vo

mc chi tit ca m ha, ng dng c thphi khi phc mt lng dliu ln hn ngi dng cn thc t, v vy m ra mt lhng van ton.

Thc vy ngi dng bt k (hoc k tn cng thu c quyn truy cp vo

my m ng dng ang chy) c thhack ng dng truy cp d liu tri

php. Cui cng nhmt phng php gy ra chi ph hiu sut v ngn chn

sdng vi tnh nng ci tin ca CSDL trn dliu m ha, nhcc thtc

lu tr(nhcc on m dc lu trong hqun trcsdliu c thc

chia sv yu cu bi vi ng dng) v cc trigger (nhon chng trnh tkhi ng khi dliu trong CSDL c chnh sa). Trong khi nim chi

titv qun l kha, m ha mc ng dng a ra slinh hot cao nht v

chi tit m ha v cc kha m c thc chn phthuc vo slogic ca

ng dng.

Ba phng php miu ttrn c minh ha trong Hnh 2.1

Hnh 2.1: Ba ty chn cho cc mc m ha csdliu

2.3.4.Thut ton m ha v chhot ngTy thuc vo chin lc m ha, san ton ca dliu m ha ph

thuc vo thut ton m, kch thc kha m v sbo vkha m. Thm chsdng thut ton mnh, nhAES, th bn m vn c thbphi by thng


26/80


27/80



Hnh 2.2: Cc phng php qun l kha

gii quyt vn ny, cc chipset mt m c tnh khng xo trn

chuyn dng, c gi l module an ton phn cng (HSM-hardware security

module), c thc sdng cung cp ni lu tran ton cho kha m.

Ni chung cc kha m c lu trtrn my chc m ha bi mt kha

chlu trong HSM. Ti thi im m ha /gii m, cc kha c m st

ng gii m bi HSM (bng cch dng kha ch) v chuyn ti bnhcamy chngay khi hot ng mt m c thc hin, nhhnh 2.2.a.

Mt gii php c la chn khc l chuyn cc cng vic lin quan

n vn an ton ti mt phn mm chy trn mt my ch(vt l) khc,

c gi l my chan ton, nhhnh 2.2.b. Sau my chan ton qun l

ngi dng, vai tr, c quyn, chnh sch m ha v kha m (hon ton tin

cy vo HSM). Trong phm vi DBMS, mt module an ton truyn thng vimy chan ton xc thc ngi dng, kim tra c quyn v dliu m

ha hoc gii m. Sau cc kha m c thc lin kt vi ngi dng

hoc c quyn ngi dng. Mt khc bit r rng cng c to ra gia vai

tr ca DBA, qun l ti nguyn CSDL, v vai tr ca SA (ngi qun tran

ton Security Administrator), qun l cc tham san ton. S tin cy thu

c tthc tl tn cng yu cu skt hp gia DBA v SA.


28/80



Trong khi thm mt my chan ton hoc HSM sgim thiu c s

phi by ca cc kha m, nhng n khng hon ton bo vCSDL. Tht vy

cc kha m, cng nhl dliu c m ha vn xut hin trong bnh

my chCSDL v c thl ch tn ca ktn cng.


29/80



Chng 3

M HA CSDLIU TRONG HQT ORACLE 9i

Hqun trcsdliu Oracle l mt hqun trln, c sdng

kh rng ri hin nay trong cc doanh nghip. N cung cp khnng an ton

cao cho csdliu. Trong cchm ha dliu cng c Oracle cung

cp tphin bn 8i, l gi DBMS_OBFUSCATION_TOOLKIT. V vy

chng ny strnh by vkhnng m ha dliu ca Oracle v cc vn

xung quanh.

3.1. Gii thiu vhqun trcsdliu Oracle 9i3.1.1.Lch spht trin ca Oracle

u tin ta hy i ngc li lch shiu r hn vOracl

- 1977 Thnh lp Relational Software Inc.- 1978 Phin bn Oracle v1 u tin, chy trn hiu hnh PDP-11 ca

my RSX (dng ca hng DEC), khnng sdng bnhti a l 128

KB, vit bng ngn ngAssemblOracle V1 chc sdng trong

ni bcng ty, khng c pht hnh ra bn ngoi.

- 1980 Pht hnh phin bn Oracle v2 - y cng l h c s d liuthng mi u tin sdng ngn ngSQL. Phin bn ny vn c

vit bng Assembly cho PDP-11, tuy nhin, n cn chy c trn

Vax/VMS.

- 1982 Pht hnh Oracle v3 released, Oracle tr thnh DBMS u tinchy trn cc my mainframes, minicomputers, v PC's (portable

codebase). Phin bn Oracle u tin thlm vic theo "transactional".

Oracle v3 c vit bng C.

- 1983 Relational Software Inc. i tn thnh Oracle Corporation.


30/80



- 1984 Pht hnh Oracle v4, gii thiu tnh nng "read consistency", cthchy trn nhiu Hiu Hnh, v cng l phin bn u tin chy

theo m hnh PC - Server.

- 1986 Pht hnh Oracle v5. Thc s l CSDL client/server, h trcluster trn VAX. CSDL u tin s dng truy vn d liu phn tn

(distributed queries).

- 1988 Pht hnh Oracle v6. Gii thiu ngn ngPL/SQL. Oracle cnggii thiu sn phm ng dng sdng CSDL Oracle - Oracle Financial

Applications.

- 1989 Pht hnh Oracle v6.2 vi tnh nng chy song song - OracleParallel Server

- 1992 Pht hnh Oracle v7 chy trn UNIX- 1993 Pht hnh bcng cpht trin ng dng - Oracls Cooperative

Development Environment (CDE). Gii thiu "Oracle Industries" v

"Oracle Media Server"- 1994 Pht hnh Oracle v7.1 v Oracle v7 trn my PC.- 1997 Pht hnh Oracle8 , gii thiu CsDliu Hng i Tng -

object-relational

- 1998 Pht hnh phin bn trn Intel Linux- 1999 Pht hnh Oracl8i (i = internet), tch hp vi my o Java JVM- 2000 Pht hnh Oracl8i Release 2. Ngoi Oracle Database, Oracle cn

pht trin bsn phm ng dng cho doanh nghip ERP. Pht hnh

Oracl9i Application Server, y l mt sn phm thuc lp gia (midle

tier)

- 2001 Pht hnh Oracl9i Release 1 vi tnh nng Cluster (RAC) vAdvanced Analytic Service


31/80



- 2002 Pht hnh Oracl9i Release 2- 2004 Pht hnh Oracle10g Release 1 (g = grid)- 2005 Pht hnh Oracle10g Release 2

u im ca OracleNhiu ngi cho rng Oracle ch s dng cho nhng Doanh Nghip

(DN) ln nn khng thch hp Vit Nam. iu ny l hon ton sai lm.

Oracle khng chnhm ti nhng DN ln m cn nhm ti nhng DN trung

bnh v cho cnhng DN nh. Cthl Oracle Server c cc phin bn

thng mi tPersonal, Standard n Enterprise (ngoi ra cn c Oracle litena).

- Vpha cc DN:Oracle tra rt c u im nhtnh bo mt cao, tnhan ton d liu cao, d dng bo tr-nng cp, c ch quyn hn r

rng, n nh,...

- Vpha nhng nh pht trin:Oracle cng tra rt c u im nhdci t, dtrin khai v dnng cp ln phin bn mi. Hn na Oracle

cn tch hp thm PL/SQL, l mt ngn ng lp trnh c cu trc -

Structure Language. To thun li cho cc lp trnh vin vit cc

Trigger, StoreProcedure, Package. y l im rt mnh so vi cc

CSDL hin c trn thtrng.

Trong Oracle, ngoi cc kiu dliu thng thng cn c cc kiu d

liu c bit khc gp phn mang li sc mnh cho Oracle nhBlob, Clob,Bfile,...

Ngoi ra, bn c th trin khai Oracle trn nhiu h iu hnh khc

nhau (Windows, Solaris, Linux,...) m khng cn phi vit li m PL/SQL.

C thimport mt dumpFile (backupFile) tmt my chy hiu hnh ny

sang hiu hnh khc hoc tmt phin bn thp ln mt phin bn cao hn

m khng gp bt ctrngi no (ngc li cng c ththc hin c nu

nhbn khng sdng cc tnh nng mi so vi phin bn trc ).


32/80



Csd liu Oracle ang ngy cng c sdng phbin ti Vit

Nam. Rt nhiu hthng csdliu ti cc cquan, doanh nghip ln u

sdng hthng csdliu Oracle phc vcho cng tc lu trdliu.

Danh sch mt scquan, doanh nghip sdng Oracle:

- Khi cquan nh nc:BTi chnh, Tng cc Thu, Kho bc Nhnc

- Khi vin thng:Tng cng ty Vin thng Qun i Viettel; Cc nv thuc tp on Bu chnh Vin thng Vit Nam (VNPT) nh

Mobifone, Vinaphone, Vin thng H Ni- Khi ngn hng:Vietcombank, Techcombank, BIDV, SeABank- Khi chng khon:SeABS, VPBS, Click and Phone- Khi doanh nghip nc ngoi:Toyota Vit Nam, Honda Vit Nam,

Jamil Steel

3.2. Gii php m ha dliu lu trtrong Oracle 9igii quyt bi ton m ha thng tin nhy cm trc khi lu trvo

trong csdliu, Oracle9i cung cp mt gi PL/SQL m ha v gii m

dliu lu tr. l gi DBMS_OBFUSCATION_TOOLKIT, gi ny c

cung cp c2 phin bn Oracle9i Standard Edition v Oracle9iEnterprise

Edition Oracle9i.

3.2.1.Cc khnng m ha dliu ca Oracle 9iHin nay, gi DBMS_OBFUSCATION_TOOLKIT h trm ha d

liu khi lng ln bng cch s dng thut ton DES (Data Encryption

Standard), v bao gm cc th tc m ha (DESEncrypt) v gii m

(DESDecrypt) bng cch s dng DES. Gi

DBMS_OBFUSCATION_TOOLKIT cng bao gm cc hm m ha v

gii m bng cch sdng DES 2 kha v 3 kha, trong chCBC.


33/80



Gi DBMS_OBFUSCATION_TOOLKIT cng bao gm khnng tng

kim tra mt m (MD5), v kh nng to s ngu nhin an ton (GetKey).

Vic to sngu nhin an ton l mt phn quan trng ca mt m; cc kha

c thdon l cc kha ddng phng on, v cc kha don c thdn ti vic ddng gii m d liu. Hu ht vic thm m c thc hin

bng cch tm cc kha yu hoc cc kha c lu trkm, nhiu hn l

thng qua phn tch thut ton (duyt tt ccc kha c thc).

Qun l kha gn lin vi chng trnh. Ngha l, cc ng dng (gi

chc nng m ha ny) phi cung cp kha m; iu ny c ngha l ngi

pht trin ng dng phi tm cch lu trv gi kha ra mt cc an ton. Gi

DBMS_OBFUSCATION_TOOLKIT, c thxl dliu cdng chui v

dng th, yu cu a ra kha 64 bit.

Oracle ci t gi DBMS_OBFUSCATION_TOOLKIT trong lc

SYS v c gn quyn truy cp mc nh cho vai tr PUBLIC. Oracle

khuyn co rng quyn ny nn c thu hi. Sau bn c thgn quyn s

dng gi cho ngi dng v cc vai tr khi cn thit.

3.2.1.1.Cc thut tona.Thut ton DES

Thut ton DES, cn c gi l thut ton DEA theo vin tiu chun

quc gia Hoa K(ANSI ) v DEA-1 theo Tchc tiu chun quc t(ISO),

tr thnh mt chun m ha ton thgii trn 20 nm qua. Ngnh cng

nghip ngn hng chp nhn cc chun da trn DES cho cc giao dch gia

cc tchc ti chnh, v gia cc tchc ti chnh v cc c nhn.

DES l mt thut ton m ha i xng; ngha l, sdng cng mt

kha m ha cng nhl gii m dliu. DES m ha khi dliu 64 bit

bng mt kha 56 bit. Thut ton DES bqua 8 bit ca 64 bit kha; tuy nhin,

cc nh pht trin phi cung cp mt kha 64 bit cho thut ton. DES m ha

thng tin qua 16 bc, mi bc mt na khi thng tin sc chuyn i

v hon vtheo mt qu trnh phc tp.


34/80



Hin nay DES c xem l khng an ton cho nhiu ng dng.

Nguyn nhn chyu l di 56 bit ca kha l qu nh. Kha DES tng

bph trong vng cha y 24 gi. c rt nhiu kt quphn tch cho thy

nhng im yu vmt l thuyt ca m ha c thdn n ph kha, tuychng khng kh thi trong thc tin. Thut ton c tin tng l an ton

trong thc tin c dng Triple DES (thc hin DES ba ln), mc d trn l

thuyt phng php ny vn c thbph. Gn y DES c thay th

bng AES (Advanced Encryption Standard, hay Tiu chun M ha Tin

tin).

b.Thut ton 3DES3DES (Triple DES), l thut ton m ha khi trong thng khi

thng tin 64 bit sc ln lt m ha 3 ln bng thut ton m ha DES

vi 2 hoc 3 kha khc nhau.

Hot ng 3 kha 2 kha

M ha Ek3(Dk2(Ek1(m))) Ek1(Dk2(Ek1(m)))

Gii m Dk3(Ek2(Dk1(m))) Dk1(Ek2(Dk1(m)))

Bng 3.1: Hot ng ca TripleDES


35/80



c.Chlin kt khi m - CBC

Hnh 2.3: Chlin kt khi m CBC

ChCBC loi trc tn cng tin bng cch sdng ni dung

ca khi trc m ha khi hin ti. Trong qu trnh m ha khi bn

r c XOR vi khi bn m trc , v vector khi to (IV) c sdng

nhmt khi u tin (Hnh 2.3.a). Theo cch khi cui cng sphthuc

vo tt c cc khi trc . Tng t qu trnh gii m nh hnh 2.3.b,

nhng mi khi chphthuc vo khi trc , chkhng phi tt ccc

khi. Do vy vic gii m c thc thc hin song song, lm cho vic giim snhanh hn m ha.

u v nhc ca chCBC

- Mi khi m phthuc vo tt ccc khi bn r- Sthay i ca bn tin u sko theo sthay i ca mi khi

m


36/80



- Cn gi trvc tban u IV c bit trc bi ngi gi v nginhn

d.Hm bm MD5

MD5 (Message-Digest algorithm 5) l mt hm bm m ha vi gi

trbm l 128bit. Tng c xem l mt chun trn Internet, MD5 c s

dng rng ri trong cc chng trnh an ninh mng, v cng thng c

dng kim tra tnh nguyn vn ca tp tin.

MD5 c thit kbi Ronald Rivest vo nm 1991 thay thcho

hm bm trc , MD4 (cng do ng thit k, trc na l MD2).MD5 c 2 ng dng quan trng:

1/ MD5 c s dng rng ri trong th gii phn mm m bo

rng tp tin ti vkhng bhng. Ngi sdng c thso snh gia thng s

kim tra phn mm bng MD5 c cng bvi thng skim tra phn mm

ti vbng MD5.

2/ MD5 c dng m ha mt khu. Mc ch ca vic m ha nyl bin i mt chui mt khu thnh mt on m khc, sao cho ton m

khng thno ln trli mt khu. C ngha l vic gii m l khng th

hoc phi mt mt khong thi gian v tn (lm nn lng cc hacker).

3.2.1.2.Tm tt cc chng trnh con ca gi DBMS_OBFUSCATIONChng trnh con M t

DES3DECRYPT

Procedures and Functions

To ra dng gii m ca dliu u vo.

DES3ENCRYPT

Procedures and Functions

To ra dng m ha ca d liu u vo bng

cch chuyn qua thut ton m ha TripleDES

DES3GETKEY Procedures

and Functions

a vo mt gi trngu nhin v s dng

to mt kha mt m, bng cch s dng

TripleDES.


37/80



Chng trnh con M t

DESDECRYPT Procedures

and Functions

To ra dng gii m ca dliu u vo.

DESENCRYPT Procedures

and Functions

To ra dng m ha ca dliu u vo

DESGETKEY Procedures

and Functions

a vo mt gi trngu nhin v s dng

to mt kha mt m

MD5 Procedures and

Functions

To ra hm bm MD5 ca dliu

Bng 3.2: Cc chng trnh con ca gi DBMS_OBFUSCATION

a.Cc hm v thtc DES3DECRYPTCc chng trnh con ny to ra dng gii m ca dliu u vo.

C php

DBMS_OBFUSCATION_TOOLKIT.DES3DECRYPT(

input IN RAW,

key IN RAW,

decrypted_data OUT RAW,

which IN PLS_INTEGER DEFAULT TwoKeyMode

iv IN RAW DEFAULT NULL);


input_string IN VARCHAR2,

key_string IN VARCHAR2,

decrypted_string OUT VARCHAR2,


iv_string IN VARCHAR2 DEFAUTL NULL);


input IN RAW,

key IN RAW,


iv IN RAW DEFAULT NULL)

RETURN RAW;


38/80







iv_string IN VARCHAR2 DEFAULT NULL)

RETURN VARCHAR2;

Tham s

Tham s M t

input Dliu c m ha

key Kha gii m

decrypted_data Dliu gii m

which Nu bng 0 (mc nh) th chTwoKeyMode c s

dng.

Nu bng 1 th chThreeKeyMode c sdng.

iv Vector khi to

input_string Chui gim

key_string Chui kha gii m

decrypted_string Chui gii m

iv_string Chui vector khi to

Bng 3.3: Cc tham sca DES3DECRYPT cho dliu th

Sdng cn ch :

Nu d liu u vo hoc kha a vo th tc DES3DECRYPT l

trng, th th tc sa ra thng bo li ORA-28231 "Invalid input

to Obfuscation toolkit."

Nu dliu u vo a cho thtc DES3DECRYPT khng l bi s

ca 8 byte, th th tc s a ra thng bo li ORA-28232 "Invalid


39/80



input size for Obfuscation toolkit." Thng bo li ORA-

28233 khng p dng c cho hm DES3DECRYPT.

Nu di kha t hn 8 byte, th thtc a ra thng bo li ORA-28234 "Key length too short. Ch rng nu kha di hn c s

dng, th cc byte thm bbqua. V vy mt kha 9 byte skhng to ra

mt trng hp ngoi l.

Nu mt gi trsai c chra cho tham swhich, thng bo li ORA-

28236 "Invalid Triple DES mode" c a ra. Chgi tr0 (vi ch

TwoKeyMode) v 1 (vi chThreeKeyMode)l c gi tr

Hn ch

Ta phi cung cp mt kha 128 bit cho ci t 2-kha (trong ch112

bit c sdng), hoc mt kha 192 bit cho ci t 3-kha (trong ch168

bit c sdng). Oracle stng cht kha c cung cp thnh cc

di 56 bit cho vic gii m. di cc kha ny c cnh v khng th

thay i.

Vic gii hn di kha v ngn chn sm ha nhiu ln l cc yu

cu ca nhng quy nh ca Mvvic xut khu sn phm mt m.

b.Cc hm v thtc DES3ENCRYPTCc chng trnh ny to ra dng m ha ca d liu u vo bng

cch chuyn dliu qua thut ton m ha Triple DES (3DES)

Vic trin khai 3DES ca Oracle h tr ci t 2 kha hoc 3 kha,

trong chlin kt khi m (CBC).

C php

DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt(

input IN RAW,

key IN RAW,

encrypted_data OUT RAW,



40/80



iv IN RAW DEFAULT NULL);



key_string IN VARCHAR2,encrypted_string OUT VARCHAR2,


iv_string IN VARCHAR2 DEFAULT NULL);


input IN RAW,

key IN RAW,


iv IN RAW DEFAULT NULL)

RETURN RAW;





iv_string IN VARCHAR2 DEFAULT NULL)

RETURN VARCHAR2;

Cc tham s

Tham s M t

input Dliu m ha

key Kha m ha

encrypted_data Dliu m ha

which Nu bng 0 (mc nh) th chTwoKeyMode c sdng.

Nu bng 1 th chThreeKeyMode c sdng.iv Vector khi to

input_string Chui m ha

key_string Chui kha m ha

encrypted_string Chui m ha

iv_string Chui vector khi to

Bng 3.4: Cc tham sca hm v thtcDES3ENCRYPT


41/80



Sdng cn ch :

Nu sdng thut ton 3DES vi ci t 2-kha, th cn phi cung cp

mt kha 128 bit nh l mt tham sca th tc DES3ENCRYPT. Vi cit 3-kha, th phi cung cp mt kha 192 bit. Sau oracle cht kha c

cung cp thnh 2-kha 64 bit hoc 3 kha 64 bit. Th tc DES3ENCRYPT

mc nh sdng ci t 2-kha

Cng c ty chn cho vic cung cp mt vector khi to (IV) vi th

tc DES3ENCRYPT. Mt vector khi to IV l mt khi dliu ngu nhin

thm vo d liu d nh m ha ngay t u. Vector khi to khng c

ngha, chlm cho mi thng ip l duy nht. Vic thm vo mt vector khito IV trc d liu nhp trnh bt u khi d liu c m ha vi

thng tin on u ging nhau, m c thcung cp cho thm m nhng thng

tin m hc thsdng gii m dliu.

Nu d liu u vo hoc kha a vo th tc DES3ENCRYPT l

trng, th th tc a ra thng bo li ORA-28231 "Invalid input

to Obfuscation toolkit."Nu c gng gp i d liu m ha bng cch s dng th tc

DES3ENCRYPT, th th tc s thng bo li ORA-28233 "Double

encryption not supported."

Nu di kha nh hn 8 byte th th tc sa ra thng bo li

ORA-28234 "Key length too short."Ch nu di kha ln

hn 8 byte th phn tha sc li. V vy trng hp mt kha di 9 bytekhng c xem l ngoi l.

Nu gi trkhng chnh xc c chra cho tham swhich, li a l

li ORA-28236 "Invalid Triple DES mode". Ch c gi tr 0

(TwoKeyMode) v gi tr1 (ThreeKeyMode) l hp l.


42/80



Hn ch:

Thtc DES3ENCRYPT c 2 hn ch. Hn chu tin l di kha

DES cho thut ton m ha l cnh 128 bit (cho DES 2-kha) hoc 192 bit(cho DES 3-kha); v vy khng ththay i di ca cc kha ny.

Hn ch th2 l khng th thc hin chuyn nhiu ln m ha bng

cch sdng 3DES. (Ch : bn thn thut ton 3DES m ha dliu nhiu

ln; tuy nhin khng thgi bn thn hm DES3ENCRYPT nhiu hn mt

ln m ha cng dliu bng cch sdng 3DES)

c.Cc hm v thtc DES3GETKEY

Cc chng trnh con ny a ra mt gi trngu nhin v sdng gi

tr to mt kha mt m. Vi TripleDES, khi chra ch th a ra

kha c di thch hp.

C php:

DBMS_OBFUSCATION_TOOLKIT.DES3GetKey(

which IN PLS_INTEGER DEFAULT TwoKeyMode,seed IN RAW,

key OUT RAW);


which IN PLS_INTEGER DEFAULT TwoKeyMode,

seed_string IN VARCHAR2,

key OUT VARCHAR2);

DBMS_OBFUSCATION_TOOLKIT.DES3GetKey(which IN PLS_INTEGER DEFAULT TwoKeyMode,

seed IN RAW)

RETURN RAW;


which IN PLS_INTEGER DEFAULT TwoKeyMode,

seed_string IN VARCHAR2)

RETURN VARCHAR2;


43/80



Cc tham s:

Tham s M t

which Nu bng 0 (mc nh) th chTwoKeyMode c sdng.Nu bng 1 th chThreeKeyMode c sdng.

seed Mt gi trc t nht 80 k t

key Encryption key.Kha m ha

seed_string Mt gi trc t nht 80 k t

key Kha m ha

Bng 3.5: Cc tham sca hm v thtc DES3GETKEY

d.Cc hm v thtc DESDECRYPTCc chng trnh con ny a ra dng gii m tdliu u vo.

C php:

DBMS_OBFUSCATION_TOOLKIT.DESDecrypt(

input IN RAW,key IN RAW,

decrypted_data OUT RAW);




decrypted_string OUT VARCHAR2);


input IN RAW,

key IN RAW)

RETURN RAW;



key_string IN VARCHAR2)

RETURN VARCHAR2;


44/80



Cc tham s:

Tham s M t

input Dliu gii mkey Kha gii m

decrypted_data Dliu gii m

input_string Chui gii m

key_string Chui kha gii m

decrypted_string Chui gii m

Bng 3.6: Cc tham sca hm v thtcDESDECRYPT

Sdng cn lu :

Nu d liu vo hoc kha a cho hm DESDECRYPT l trng th

Oracle a ra thng bo li ORA error 28231 "Invalid input to

Obfuscation toolkit."

Nu dliu u vo a cho thtc DES3DECRYPT khng l bi sca 8 byte, th th tc s a ra thng bo li ORA-28232 "Invalid

input size for Obfuscation toolkit."


ORA-28234 "Key length too short."Ch nu di kha ln

hn 8 byte th phn tha sc li. V vy trng hp mt kha di 9 byte

khng c xem l ngoi l.

Ch :

Thng bo li ORA-28233 khng dng c cho hm

DESDECRYPT

Hn ch:

di kha DES cho vic m ha c cnh l 64 bit ( trong 56bit c sdng ); khng ththay i di kha.


45/80



e.Cc hm v thtc DESENCRYPTCc chng trnh con ny a ra dng m ha ca dliu u vo.

C php

DBMS_OBFUSCATION_TOOLKIT.DESEncrypt(

input IN RAW,

key IN RAW,

encrypted_data OUT RAW);




encrypted_string OUT VARCHAR2);


input IN RAW,

key IN RAW)

RETURN RAW;


input_string IN VARCHAR2,key_string IN VARCHAR2)

RETURN VARCHAR2;

Cc tham s

Tham s M t

input Dliu m ha

key Kha m haencrypted_data Dliu m ha

input_string Chui m ha

key_string Chui kha m ha

encrypted_string Chui gii m

Bng 3.7: Cc tham sca hm v thtcDESENCRYPT


46/80



Sdng cn ch :

Thut ton DES m ha dliu theo cc khi 64 bit bng cch sdng

mt kha 56 bit. Thut ton DES bi 8 bit ca kha a vo. Tuy nhin, khisdng thut ton, ta phi cung cp 64 bt nu khng li spht sinh.

Nu d liu vo hoc kha a cho hm DESEncrypt l trng th

Oracle a ra thng bo li ORA 28231 "Invalid input to

Obfuscation toolkit."

Nu d liu u vo a cho th tc DESENCRYPT khng l bi s

ca 8 byte, th th tc s a ra thng bo li ORA-28232 "Invalidinput size for Obfuscation toolkit."

Nu c gng m ha d liu hai ln bng cch s dng th tc

DESENCRYPT th thtc sa ra thng bo li ORA-28233 "Double

encryption not supported."


ORA-28234 "Key length too short."Ch nu di kha lnhn 8 byte th phn tha sc li. V vy trng hp mt kha di 9 byte

khng c xem l ngoi l.

Hn ch:

Thtc DESENCRYPT c nhng hn chsau:

di kha DES cho vic m ha l cnh vi 56 bit; khng ththayi di kha.

Khng ththc hin m ha nhiu ln. Ngha l, khng thtip tc mha dliu m ha bng cch gi hm hai ln.

f.Cc hm v thtc DESGETKEYCc chng trnh con ny a ra mt gi trngu nhin v sdng gi

trny to mt kha m ha.


47/80



C php

DBMS_OBFUSCATION_TOOLKIT.DESGetKey(

seed IN RAW,

key OUT RAW);


seed_string IN VARCHAR2,

key OUT VARCHAR2);


seed IN RAW)

RETURN RAW;


seed_string IN VARCHAR2)

RETURN VARCHAR2;

Cc tham s

Tham s M t

seed Mt gi trc t nht 80 k t

key Kha m ha

seed_string Mt gi trc t nht 80 k t

key Kha m ha

Bng 3.8: Cc tham sca hm v thtc DESGETKEY

g.Cc hm v thtc MD5Cc chng trnh con ny to ra cc gi tr bm MD5 ca d liu.

Thut ton MD5 m bo tnh ton vn d liu bng cch to ra mt gi tr

tm lc thng bo mt m tdliu a cho.

C php

DBMS_OBFUSCATION_TOOLKIT.MD5(

input IN RAW,

checksum OUT raw_checksum);


48/80





checksum_string OUT varchar2_checksum);


input IN RAW)

RETURN raw_checksum;


input_string IN VARCHAR2)

RETURN varchar2_checksum;

Cc tham s:

Tham s M tinput Dliu bm

checksum Tm lc thng bo 128 bit

input_string Dliu bm

checksum_string Tm lc thng bo 128 bit

Bng 3.9: Cc tham sca hm v thtc MD5

3.2.2.Cc thch thc ca m ha dliuThm ch trong trng hp m ha cng c thm v vn an ton,

nhng vn c nhng thch thc khng thuc vk thut. Nhng thch thc

ny bao gm:

M ha dliu c nh chmc (Indexed Data) Qun l kha Truyn kha Lu trkha Thay i cc kha m ha

Cc i tng nhphn ln (BLOB - Binary large object)


49/80



3.2.2.1.M ha dliu c nh chmcNhng kh khn c bit ny ny sinh trong qu trnh xl dliu

m ha c nh ch s. V d, gi smt cng ty sdng snh danhquc gia (v dnhsan sinh x hi Hoa Ksca nhn vin cho cc nhn

vin trong cng ty mnh). Cng ty xem slng nhn vin l dliu rt nhy

cm v v vy mun m ha dliu trong ct EMPLOYEE_NUMBER ca

bng EMPLOYEES. V ct EMPLOYEE_NUMBER cha gi tr duy nht,

nhn vin thit kcsdliu mun lp chmc trn nng cao hiu

sut.

Tuy nhin, nu gi DBMS_OBFUSCATION_TOOLKIT (hoc cchkhc) c sdng m ha dliu trong mt ct, th mt chmc trn ct

cng scha gi trm ha. Song mc d chmc c thc sdng

cho vic kim tra ng thc (v d, SELECT * FROM emp WHERE

employee_number = '123245'), nu chmc trn ct cha cc gi trm ha,

th sau chmc cbn l khng thsdng cho bt k mc ch khc. Do

vy Oracle khuyn co cc nh pht trin khng m ha d liu c nh

chmc.

Mt cc gii quyt vn ny cho cc cng ty ang tm kim m

ha cc snh danh quc gia l to mt thay thbng snh danh duy nht

cho mi nhn vin ca h. Cng ty sau ny c thto mt chmc trn cc s

nhn vin thay thny v duy tr chng dng r. Cc snh danh quc gia

tng ng c ththay thtrong mt ct tch bit m khng cn nh chmc,

v cc gi ttrong c thc m ha bi mt ng dng cng c thxl

vic gii m mt cch thch hp. Theo cch ny, snh danh quc gia c th

thu c khi cn thit m khng c sdng nhmt sduy nht nh danh

nhn vin.

3.2.2.2.Qun l khaQun l kha, bao gm cvic to kha v bo mt lu trcc kha

m, ngi ta cho rng l mt kha cnh quan trng ca m ha. Nu cc

kha c chn khng tt hoc lu trkhng ng cch th n slm cho k


50/80



tn cng ddng c thph vsbo mt. Thay v sdng tn cng vt

cn (ngha l: thtt ccc kha c thv hy vng c thtm thy kha gii

m ng), th ngi phn tch m thng c gng tm ra nhng im yu

trong vic la chn kha, hoc trong cch lu cc kha. Vic sinh kha lmt vn quan trng trong m ha.

a.Sinh khaCc kha c sinh mt cch tng qua mt bsinh sngu nhin t

mt mm mt m. Vi iu kin ssinh sngu nhin mnh th vic sinh

kha ny c thdng an ton. Tuy nhin, nu cc sngu nhin khng c

cc phn tc thdon c th c thddng lm nh hng n santon ca m ha.

Vi nm trc, Netscape c mt lhng bo mt trong thc thi SSL

c cng bkhi pht hin c rng 2 trong s3 phn t trong qu trnh

sinh sngu nhin khng phi l ngu nhin (V d: S serial my v thi

gian trong ngy). Kha m cho cc phin SSL c di kha thc t 9 bit so

vi qung co l 40 bit, nguyn nhn l do ssinh kha yu. Mt kha phin

SSL c thddng bph, khng phi do thut ton m yu m l do kha c

thddng c tm ra.

a ra qu trnh sinh kha m an ton, Oracle9i thm h trcho

qu trnh sinh s ngu nhin an ton bng th tc GetKey ca

DBMS_OBFUSCATION_TOOLKIT. Th tc GetKey gi ti b sinh s

ngu nhin an ton (RNG - Random Number Generator), bsinh ny c

chng nhn trong Federal Information Processing Standard (FIPS)- 140 nhmt phn ca nh gi vOracle Advanced Security FIPS- 140. Nhng ngi

pht trin khng nn sdng gi DBMS_RANDOM. Gi DBMS_RANDOM

sinh cc sgingu nhin; nhRFC-1750 pht biu, Sdng cc quy

trnh gingu nhin sinh nhiu kha b mt c th scho kt qugian

ton.


51/80



b. Truyn khaNu kha c truyn bi ng dng ti csdliu, th n phi c

m ha. Nu khng, mt krnh m c thly c kha khi n c truyntrn ng truyn. Sdng m ha mng, nhc cung cp bi bo mt

cp cao Oracle Oracle Advanced Security, sbo vtt cdliu trn ng

truyn, bao gm cc kha, trnh khi ssa i, schn bt.

c.Lu khaLu trkha l mt cng vic quan trng, kh khn vkha cnh m

ha. khi phc li dliu c m ha vi kha i xng, kha phic thc sdng bi ng dng hoc ngi dng tm kim m ha d

liu. kha cn d ly li c ngi dng c th truy cp d liu

c m ha m khng lm gim hiu quthc thi. Cc kha cn c bo

mt va phi n khng thddng bly bi mt vi ngi ctnh truy

cp dliu c m ha m anh ta khng c php xem dliu . Ba ty

chn cbn sn c cho ngi pht trin l:

Lu trcc kha trong csdliu Lu trcc kha trong hiu hnh C mt ngi dng qun l cc kha

1/ Lu trkha trong csdliu

Lu trcc kha trong csd liu c thkhng phi lc no cng

cung cp bo mt bullet-proof nu bn cgng bo vcc dliu chng li

truy cp d liu c m ha DBA. V mt ngi c tt c cc c quyn

DBA c th truy cp cc bng cha cc kha m, nhng n thng c th

cung cp s bo mt kh tt chng li nhng tn cng khng c chch,

hoc chng li stn cng vo cc file csdliu trn hiu hnh.

y l mt v dnh, gisbn to bng E9MP Employee) cha d

liu nhn vin. Bn mun m ha san ninh x hi (SSN - Social Security

Number) ca mi nhn vin (l mt trong cc ct). Bn c thm ha sanninh x hi ca mi nhn vin sdng kha c lu trtrong ct ring. Tuy


52/80



nhin, bt kngi no truy cp dng cu lnh SELECT trn ton bbng c

thly li kha m v kha gim ph hp vi SSN.

Cch m ha ny c vddng bnh bi, vi mt cht nlc bn cthto ra mt gii php lm cho n kh b ph vhn. V dbn c thm

ha SNN bng vic thm vo mt sbin i dliu trn employee_number

trc khi s dng n m ha SSN, v d n gin nh vic XOR

employee_number vi employee s birthdate.

Khi thc hin bo vbsung, phn thn gi PL/SQL thc hin m ha

c thc bao bc li (sdng tin ch gi), n lm ri on m v vy phn

thn gi khng thc c n. V d, a kha vo trong thn gi PL/SQLv sau bao n li lm cho phn thn gi bao gm ckha bao bc - v

lm cho n kh c vi DBA v ngi dng khc. Ngi pht trin c th

ng gi mt thn gi gi l KEYMANAGE nhsau:

wrap iname=/mydir/keymanage.sql

Mt ngi pht trin c th c mt hm trong gi gi l

DBMS_OBFUSCATION_TOOLKIT vi kha c cha trong gi cbao.

Khi phn bao bc khng thph vc, n gy kh khn vi ngi

nghe ln hthng ly c kha. lm cho vic kh khn hn, cc

kha c tch ra trong gi v sau c mt thtc rp li n trc khi c

sdng. Ngay ctrong trng hp mi kha khc nhau c cung cp cho

mi gi tr

d

liu

c m ha, do vy gi tr

ca cc kha l khng

cnh km trong mt package, ng gi cc package l thc hin qun l kha

(bin i d liu hoc m vo) c a ra. B sung thng tin v Wrap

Utility l sn c trong sch hng dn ngi dng PL/SQL v tham kho

Sc mt sa i c mt bng ring bit lu kha m, v phn

bao bc cc cuc gi n cc bng cc kha vi mt thtc. Cc bng kha

c thc ni ti bng dliu bng cch sdng mt quan hkha chnh-


53/80



kha ngoi, v d, EMPLOYEE_NUMBER chnh l kha chnh trong bng

NHN VIN, n lu trthng tin nhn vin v SSN c m ha.

EMPLOYEE_NUMBER l mt kha ngoi ti bng SSN_KEYS,bng ny cha cc kha m ha SSN ca tng nhn vin. Kha lu trong

bng SSN_KEYS cng c thc thay i trc khi s dng (V d qua

php XOR), v vy cc kha khng c lu. Thtc nn c ng gi

giu i cch m cc kha c thay i trc khi sdng.

u im ca phng php ny:

Ngi dng c quyn truy nhp bng skhng thy c cc dliu nhy cm khng c m ha, cng khng thc c cc

kha m ha dliu

Truy cp ti cc dliu c m ha c thc iu khinqua mt thtc thc hin chn lc dliu ( c m ha), ly

ra nhng kha gii m tbng kha, v thay i n trc khi n

c thc dng m ha dliu.

Thut ton bin i dliu c giu trnh khi srnh mkhng chnh bng cch ng gi thtc nhm lm ri m th

tc.

Truy nhp SELECT ti cbng dliu v bng cc kha khngc bo m rng ngi dng vi quyn truy nhp ny c th

m ha dliu, bi v kha c thay i trc khi sdng.

Nhc im phng php ny l:

Mt ngi dng c quyn truy nhp SELECT ti cbng khav bng d liu, tc l c th c c cc thut ton thay i

kha, th hc thph vkiu m ha.

Phng php trn khng phi l bullet-proof (ngn c tn cng),

nhng n mnh bo vchng li vic c thddng ly c cc thng

tin nhy cm c lu trdng r (v d: sthtn dng).

2/ Lu trkha trong hiu hnh


54/80



Lu trkha trong hiu hnh (v d: trong mt file flat) l mt la

chn khc. Oracle9i cho php bn to cc callout tPL/SQL, bn c ths

dng cc callout c c cc kha m ha. Tuy nhin, nu bn lu cc

kha trong hiu hnh v to cc callout cho n, th d liu ca bn chc bo vnhbo vtrn hiu hnh. Nu phn an ton csca bn l

thc hin m ha d liu lu trong CSDL th CSDL c thbph v th

iu hnh, v vy lu trcc kha trong hiu hnh c thc cho rng n

lm cho cc hacker ddng ly c dliu c m ha hn l lu kha

trong chnh cc csdliu.

3/ Mt ngi dng qun l kha

Khi c ngi dng cung cp kha, gii srng ngi dng ny sc

trch nhim vi kha. C 40% cc cuc gi yu cu tr gip l t nhng

ngi dng qun mt khu, v bn c ththy c cc nguy ctrong vic

ngi dng qun l cc kha m. Trong cc khnng c thxy ra, ngi

dng c thqun mt kha m, hoc vit kha m ra ri sau to ra mt bo

v khng mnh. Nu mt ngi dng qun mt kha m hoc ri khi

cng ty, th dliu ca bn skhng thly li c.

Nu bn thc hin chn ra mt ngi dng cung cp hoc qun l cc

kha, th bn cn m bo rng bn ang sdng m ha mng, v vy kha

skhng i tclient ti server theo dng r. Bn cng phi pht trin kthut

lu trkha, cng l mt vn bo mt kh khn.

d.Thay i cc khaThc hin bo mt thn trng bng cch thay i nh kcc kha m.

i vi lu trdliu, yu cu gii m v m ha li dliu mt cch nh

kvi mt kha c chn khc. iu ny phi thc hin khi dliu khng

truy nhp c, m to ra mt thch thc khc, c bit cho cc ng dng cho

web m ha sthtn dng, v bn khng mun ton bcc ng dng gp s

ckhi chuyn cc kha m.


55/80



3.2.2.3.Cc i tng nhphn ln (BLOB)Mt kiu dliu yu cu nhiu hot ng hn m ha. V d, Oracle

htr lu trcc i tng nhphn ln, cho php ngi dng lu trcci tng nhphn ln (ln ti gigabyte) trong csdliu. Mt i tng

nhphn ln c thc lu trhoc l trong hqun trnhl trong mt

ct, hoc trong mt tp tin bn ngoi. s dng gi

DBMS_OBFUSCATION_TOOLKIT, ngi dng phi chia nh d liu

thnh cc on 32767 k t( gi trti a PL/SQL cho php) v sau c th

m ha cc on v gn vo cc BLOB. gii m, th tc tng tphi

c tip ni dng o ngc.


56/80



Chng 4

TRIN KHAI M HA TRN CSDLIU NHN VIN

Cc cng ty hin nay thng thng tr lng cho nhn vin qua ti

khon hoc nu trbng tin mt cng hn chti a vic cc nhn vin

bit v tm hiu thng tin v lng thng ca nhau. Ti sao tin lng li

c gib mt nhvy?

i vi spht trin ca mt cng ty, bn cnh mt khoch v chin

lc r rng th cn phi c mt i ng nhn vin nng n nhit tnh ht

mnh v cng vic. S so snh thit hn v nhng thc mc v tng s thunhp snh hng n scng hin ca tng c nhn. Scnh tranh nhau v

mc thu nhp spht sinh mu thun v lm mt i son kt ca cc nhn

vin trong cng. Ty t ra cc vn cn phi thc hin l b mt tin

lng i vi cc c nhn c thtranh thsnhit tnh ti a ca cc nhn

vin trong cng ty.

Mt scng ty cng mun bo mt chc vca cc nhn vin, khng

mun nhn vin bnh thng bit c nhng ai c chc vcao hn mnh.

Do vi mt scng ty dliu vchc vv lng thng l cc d

liu nhy cm cn c bo mt.

4.1. Bng nhn vinV m ha csdliu l mt vn phc tp nn em chxt css

dliu n gin trn mt bng nhn vin.


57/80



Cng ty lu trcc thng tin sau vnhn vin:htn, chc v, phng

lm vic, tui, gii tnh v lng nhv dsau:

MNV HTn Chc v Phng Tui Giitnh Lng

02001 Nguyn VnTi

Nhnvin

Marketing 29 M 3500

02002 Trn ThMai Trngphng

Khoch 33 F 6200

02003 Nguyn Quang

Huy

Nhn

vin

Khoch 27 M 4000

02004 Hong VnMinh

Gim stvin

Marketing 24 M 3600

02005 Nguyn ThHoa

Nhnvin

Khoch 24 F 2900

02006 Nguyn ThThu Hng

Gim stvin

Marketing 24 F 4000

02007 Nguyn ThNgn

Trngphng

Kinhdoanh

35 F 7000

02008 Kiu VitPhng

Nhnvin

Kinhdoanh

27 M 4500

02009 Phm ThLng

Nhnvin

Kinhdoanh

26 F 3500

02010 Nguyn Th

Nhung

Nhn

vin

Kinh

doanh

23 F 3000

02011 Nguyn VnTun

Phphng

Kinhdoanh

32 M 6500

Bng 4.1: Bng nhn vin

Do yu cu ca cng ty l cn m ha chc vv lngca nhn vin

nn cn thit k lc thc hin c cng vic ny. Lc ny cn


58/80


59/80



Cc kha m sc lu bng NhanVien_Key vi kha chnh tham

chiu n kha chnh ca bng NhanVien_Encrypt.

Hnh 4.3: Bng NhanVien_Key

Ban u cn phi m ha dliu bng NhanVien, sau chuyn d

liu m ha ny sang bng NhanVien_Encrypt, ng thi lu kha tng ng

vo bng NhanVien_Key.

Sau khi m ha v chuyn dliu thnh cng cn phi xa bng d

liu r, ngha l xa bng NhanVien.

Kt qu: chcn li hai bng l NhanVien_Encrypt v NhanVien_Key.

Lu : Mi dng dliu cn m ha trong bng NhanVien sc s

dng mt kha tng ng ca bng kha NhanVien_Key.xem d liu r (d liu gii m) ta snh ngha mt khung nhn

da trn bng dliu m NhanVien_Encrypt v bng kha NhanVien_key.


60/80



Hnh 4.4: To khung nhn NhanVien_Table

V tin cho vic qun trv phn tch bn phn ta sto mt ngi

dng thc thi cng vic m ha bng nhn vin trn. Khi cc bng

NhanVien_Encrypt v NhanVien_Key sdo ngi dng ny to ra.

4.3. Cc bc trin khaiCc bc cn thc hin thc hin cng vic trn l:

To ngi dng Xy dng gi cho vic m ha/gii m M ha/Gii m dliu To trigger gii quyt vn thm, cp nht v xa nhn vin Phn phi kha


61/80



Thm bt ngi dng4.3.1.To ngi dng SA

Ngi dng SA c to thc thi vic m ha. SA slm gim btc cng vic ca ngi qun tr, ng thi cng c thgip cho vic tch

bn phn c ddng hn.

ngi dng SA c ththc thi c cng vic ny ta cn phi gn

cho anh ta mt s c quyn: connect session, create view, create public

synonym, drop public synonym.

4.3.2. Xy dng package m ha/gii mV dbms_obfuscation_toolkit khng thuc v trc gic gi, v vy

chng ta s to mt vbc thn thin vi ngi dng hn, dsdng hn.

Chng ta sgi chc nng vbc m ha v gii m d liu thay v gi

trc tip dbms_obfuscation_toolkit. y ta sto gi CRYPT_UTIL.

Phng php m ha c la chn trong gi CRYPT_UTIL l 3DES.

Gi ny gm 3 hm nhsau:

Crypt() thc hin vic m ha Get_key() thc hin sinh kha Decrypt() thc hin vic gii m

Chi tit v m ngun ca chng trnh c chng ti a ra trongphn phlc.

4.3.3.M ha/gii m dliuQu trnh m hadliu sc thc hin qua mt sbc sau:

Bc 1: M ha bng NhanVien c sn


62/80



Hnh 4.5: Qu trnh m ha bng NhanVien

Bc 2: Xa bng NhanVienKt qusau khi m ha bng nhn vin:

Hnh 4.6: Bng nhn vin m ha

Qu trnh gii m s c thc hin thng qua khung nhn

NhanVien_vw (to tn ng ngha vi khung nhn NhanVien_vw l

NhanVien_Table), c to trn bng NhanVien_Ecrypt. Khung nhn ny s


63/80



kt hp bng NhanVien_Ecrypt v NhanVien_Key v bc ltt ccc ct tr

ct kha. Khung nhn ny sbc lgi trct chc vv lng c gii

m bng cch sdng crypt_util.decrypt. V crypt_util.decryt trvkiu d

liu varchar2(2000). trnh iu ny chng ta s chuyn cc ct vngkiu dliu.

Hnh 4.7: To khung nhn NhanVien_Table

Kt qukhi to khung nhn c bng r ca bng nhn vin lNhanvien_table:


64/80



Hnh 4.8: Bng Nhanvien_table

4.3.4.Xl qu trnh thm, cp nht v xa nhn vinTa ssdng cc trigger INSTEAD OF thao tc dliu. Cc trigger

ny sthao tc dliu trn bng csbt ckhi no ngi dng thm, cp

nht hay xa trn khung nhn. Trong khi cp nht cc trigger ny cng m

bo gi trcc dliu cn c m ha cng c cp nht.

Ni dung chi tit on m chng trnh trigger NhanVien_vw_trg c

ti a vo trong phn phlc.

4.3.5.Qun l khaCc kha m c lu trong bng ring NhanVien_Key, bng ny l s

hu ca SA, do anh ta c ton quyn trn bng ny. Do vic thay i

kha ta c ththc hin bng cch cp nht li dliu trong bng kha. Lu

, khi thay i kha phi thc hin qu trnh gii m d liu ang c m

ha bng cch kha ny, ri m li bng kha mi.

4.3.6.Qun l ngi dng truy cp dliu r


65/80



Ngi dng no c quyn c xem ct chc vv lng th chcn

gn cho hquyn trn khung nhn NhanVien_Table.

4.4.

Kt qukim traGisc 2 nhn vin: NhanvienA v NhanvienB

NhanvienA:c php xem ct chc vv lng, ngha l anh ta cquyn truy cp vo bng Nhanvien_Table v xem c dliu dng

r.

NhanvienB:khng c php xem ct chc vv lng, ngha l anhta k c quyn truy cp d liu r v ch c truy cp vo bng

NhanVien_Encrypt (hay l bng NhanVien)

Khi NhanvienA kt ni vo csdliu thc hin cu lnh: select *

from NhanVien_Tableth kt qusl:

Hnh 4.9: Nhn vin A xem dliu r

Khi NhanvienB kt ni vo csd liu thc hin cu lnh: select *

from NhanVien_Encrypt th kt qusl:


66/80



Hnh 4.10: Select tbng NhanVien_Encrypt

Gn cho NhanVienA quyn cp nht v thay i bng NhanVien

Qu trnh cp nht dliu vo bng NhanVien:- Htn: Ong ThHng- Chc v: Nhn vin- Phng: Khoch- Tui: 24

-

Gii tnh: N- Lng: 2500


67/80



Hnh 4.11: Insert vo bng NhanVien

Qu trnh cp nht nhn vin c MaNV=02004 vi lng l5000


68/80



Hnh 4.12: Update bng NhanVien

4.5. nh gi lc m ha bng nhn vinCht lng bn m:

- Khi m ha kch thc dliu tng ln ( trng hp nhnht l bng),v vy vi mt bn m ca mt bn c kch thc ngn (v d luong=3000,

chc 5 k t) ngi thm m vn kh c thsuy on ra c bn r ban

u.

- Hn na vi lc m ha c thit ktrn th vi hai bn ghi cgi trging nhau nhng khi m ha sc gi trkhc nhautng thm s

kh khn cho thm m.V d: Nguyn Vn Ti v Nguyn Quang Huy u l nhn vin, kt

qum ha chc vca hnhsau:

Nguyn Vn Ti: CCF0BFD96FFD7F5477386D5CDCF787F6

Nguyn Quang Huy: 457BC1E73A754F9813F9AE47139EE61B


69/80



Hnh 4.13: So snh kt qum ha cc bn ghi ging nhau

Tm li lc m ha trn bng nhn vin c nhng u nhc im

sau:u im:

- m bo c ct lng v chc vc m ha khi lu trvo csdliu.

- Ngi dng tri php khng thxem c dliu vchc vv lng.- Qu trnh m ha/gii m trong sut vi ngi dng cui.

Nhc im:

- Hiu sut gim v qu trnh thao tc d liu phi thm nhim vmha/gii m dliu.

- Kch thc dliu cn lu trtng ln kh nhiu tng dung lngbnhcn thit.


70/80



KT LUN

Hin nay, bo m an ton cho thng tin nhy cm l mt vn cn

thit v quan trng i vi mt tchc. Phng php m ha csdliu lmt phng php phng th theo chiu su, n b sung mt cch hiu qucho cc phng php khc.

Vi mc tiu m ti t ra, qua mi phn, em tm hiu va ra c nhng nghin cu ca mnh nhsau:

- Tm hiu c tng quan vmt m, cc phng php m ha, v mtsthut ton phbin.

- Nghin cu c vn an ton trong csdliu, v cc mc mha m bo an ton cho cc dliu lu trtrong .

- Tm hiu c khnng m ha ca hqun trOracle v cc thchthc ny sinh khi p dng m ha vo csdliu.

- ng thi cng p dng c m ha mc hqun trcsdliucho mt csdliu cth.

Tuy nhin, do thi gian c hn v kin thc thc tin cn hn chnn vn cn mt shn ch:

- Vic p dng mi chmc mt bng n gin cha p dng cmt csdliu phc tp.

- Phng php m ha cn n gin, vic qun l kha mc hquntrnn cha tht stch bit c bn phn ca nhn vin an ton vnhn vin qun trbnh thng.

- Cc hm m ha c sdng l do Oracle cung cp, nn cn nhiuhn ch. V dnhphin bn Oracle 9i chcung cp thut ton m haDES, m hin nay th DES c thay thbng AES.

T hng pht trin trong tng lai em s:

- Pht trin module m ha/gii m ring.- p dng cho mt csdliu hon chnh.


71/80



TI LIU THAM KHO

[1]. TS. Nguyn Nam Hi, Gio trnh An ton csdliu, Hc vin K

thut mt m, 2006

[2]. GS.TS. Nguyn Bnh, TS. Trn c S, Gio trnh Csl thuyt mt

m, Hc vin Kthut mt m, 2006

[3]. TS. Trn Vn Trng, gio trnh Mt m hc nng cao, Hc vin K

thut mt m, 2006.

[4]. D.E. Denning, Cryptography and Data Security, Addison-Wesley.

[5]. D.R. Stinson, Cryptography: Theory and pracetise, CRC Press, 1995.

[6]. Oracle Corporation, Database Encryption in Oracle9i, technique white

paper, 2001.

[7]. RSA Security company, Securing Data at Rest: Developing a Database

Encryption Strategy, whiter paper, 2002.

[8]. Luc Bouganim, Yanli GUO, Database Encryption

[9]. Erez Shmueli, Ronen Vaisenberg, Yuval Elovici, Chanan Glezer,

Database Encryption An Overview of Contemporary Challenges and

Design Considerations


72/80



PHLC

A.Ngi dng SA/************Tao user SA****************/

Drop user sa cascade;

create user SA identified by sa default tablespace users

temporary tablespace temp ;

/********Gan cac quyen cho user SA**********/

grant connect, resource to SA;

grant create view to SA;

Grant create public synonym to SA;

Grant drop public synonym to SA;

B.Gi CRYPT_UTILcreate or replace package crypt_util

as

function crypt (p_str in varchar2, p_key in raw)

return raw;

function decrypt (p_data in raw, p_key in raw)

return varchar2;

function get_key return raw;

end crypt_util;

create or replace package body crypt_util

as

function crypt (p_str in varchar2, p_key in raw)

return raw

as


73/80



l_data varchar2(255);

l_datar raw(255);

l_retval raw(255);

begin

l_data := rpad( p_str,

(trunc(length(p_str)/8)+1)*8, chr(0) );

l_datar := utl_raw.cast_to_raw(l_data);

dbms_obfuscation_toolkit.des3encrypt

( input => l_datar,

key => p_key,

which =>

dbms_obfuscation_toolkit.ThreeKeyMode,

encrypted_data => l_retval );

return l_retval;

end;

function get_key

return raw

as

l_keyr raw(255);

l_seed varchar2(255);

l_seedr raw(255);

begin

l_seed :=

'UpKYrZHeiooBqkvpJHuImXrLOmVzYhgBhJcNLQL'||

'wkKYAhKgoZKnXPDBjcgYPGnfPyQOBAGmtRTJUhXAo';

l_seedr := utl_raw.cast_to_raw(l_seed);

dbms_obfuscation_toolkit.des3GetKey

(which=>dbms_obfuscation_toolkit.ThreeKeyMode,

seed => l_seedr,

key => l_keyr

);

return l_keyr;end;


74/80



function decrypt (p_data in raw, p_key in raw)

return varchar2

as

l_data varchar2(255);

l_datar raw(255);

begin

l_datar := dbms_obfuscation_toolkit.des3decrypt

(input => p_data,

key => p_key,

which =>

dbms_obfuscation_toolkit.ThreeKeyMode);

return (substr

(utl_raw.cast_to_varchar2(l_datar),

1,instr(utl_raw.cast_to_varchar2(l_datar),chr(0),1)-1

));

end;

end crypt_util;

C.Khung nhn NhanVien_vwCreate or replace view nhanvien_vw

as

select

n.MaNV,

n.HoTen,

cast (crypt_util.decrypt(n.ChucVu,k.key) as

varchar2(30)) chucvu,n.Phong,

n.Tuoi,

n.Gioitinh,

cast (crypt_util.decrypt(n.Luong,k.key) as

varchar2(10)) luong

from nhanvien n, nhanvien_key k

where n.manv=k.manv;

Create public synonym nhanvien_table for nhanvien_vw;


75/80



D.Trigger NhanVien_vw_trgcreate or replace trigger nhanvien_vw_trg

instead of insert or update or delete on

nhanvien_vw for each row

declare

l_key raw(255);

begin

if (inserting)

then

/* Lay khoa ma hoa cho cac cot */

l_key := crypt_util.get_key;

/* Them hang vao trong bang nhanvien voi

truong

chuc vu va luong duoc ma hoa*/

insert into nhanvien

( manv,

HoTen,

ChucVu,

Phong,

Tuoi,

Gioitinh,

Luong

)

values

(

:new.manv,

:new.HoTen,

crypt_util.crypt(to_char(:new.ChucVu),l_key),

:new.Phong,

:new.Tuoi,

:new.Gioitinh,

crypt_util.crypt(to_char(:new.Luong),l_key)

);

/* Them khoa vao trong bang nhanvien_key */insert into nhanvien_key


76/80


77/80



delete from nhanvien_key

where manv = :old.manv;

update nhanvien

set manv = :new.manv

where manv = :old.manv;

insert into nhanvien_key

(

manv,

key

)

values

(

:new.manv,

l_key

);

end if;

/* Neu thay doi HoTen thi cap nhat HoTen*/

if ( :new.HoTen =:old.HoTen )

then

update nhanvien

set HoTen = :new.HoTen

where manv = :new.manv;

end if;

/* Neu thay doi Chuc vu */

if ( :new.ChucVu =:old.ChucVu )

then

update nhanvien

set ChucVu =

cr

encryption database in oracle

Documents