Oracle's encryption not secure, researcher says

IDG News Service - The standard encryption mechanism used by Oracle Corp.'s database products can be easily circumvented, according to a German security researcher who last week published details on several unpatched security vulnerabilities in the database vendor's products (see Security firm details six unpatched Oracle flaws).
Security expert Alexander Kornbrust plans to give a presentation at the Black Hat USA 2005 security conference this week showing how Oracle's encryption can be broken. The encryption features that come standard with Oracle's database, called DBMS Crypto and DBMS Obfuscation Toolkit, can be circumvented, he said in an interview.
"A lot of people think that if they use this DBMS Crypto, a hacker is not able to decrypt the data, but I found a way to get the keys," said Kornbrust, a business director at Red-Database-Security GmbH, in Neunkirchen, Germany.
This could result in a nasty surprise for customers who believe they are protecting their data from attackers via Oracle's standard encryption mechanisms, he said. "If a hacker breaks into your database, he's able to retrieve all of the sensitive information like credit card numbers."
The problem lies with the design of Oracle's encryption mechanism and the fact that it stores unencrypted numbers, called keys, in a way that they can be seen by an attacker and then used to read sensitive data.
Oracle Director of Product Management Paul Needham acknowledged that, for many Oracle installations, getting access to these encryption keys could happen if an attacker gained access to a privileged "DBA" (database administrator) account on the server. "Most of the customers would store the encryption key in a table in the database. To the extent that you have a DBA [account]\ that can see the tables, you can just read the tables and find the encryption key."

The encryption software does provide a way of protecting sensitive data on storage media like backup tapes, and it can be used to bring users into compliance with government regulations, Needham said, adding that his company does not recommend relying on encryption alone as a method of securing data. "Encryption should not be considered an access control solution," he said.
Oracle customers who read the documentation for the company's 10g database might be led to think otherwise, however. In the event that an attacker gains access to the database, "encryption of stored data can... be an important tool in limiting information loss," Oracle's documentation states.
Customers who think they are preventing attackers, or even curious database administrators from gaining access to sensitive data by using Oracle's standard