What's New in Oracle Advanced Security?

This section describes new features of Oracle Advanced Security 11g Release 2 (11.2) and provides pointers to additional information.

Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security

This release includes the following new features:

• Enhanced TDE Tablespace Encryption

  Oracle Database 11g Release 2 (11.2) implements the following enhancements to TDE Tablespace Encryption:

  • A unified master encryption key is used for both Transparent Data Encryption (TDE) Column Encryption and TDE Tablespace Encryption.

  • The unified master encryption key can optionally be stored in a hardware security module. This enables you to use the TDE Tablespace Encryption feature along with hardware security modules.

  • You can reset (rekey) the unified master encryption key. This provides enhanced security and helps meet security and compliance requirements.

  See Also:

  "Encrypting Entire Tablespaces"

• Internet Protocol Version 6 (IPv6) Support

  Oracle Advanced Security fully supports Internet Protocol Version 6 (IPv6) networks.

• Kerberos Enhancements

  The Oracle Kerberos authentication mechanism now supports the Microsoft Windows Server 2003 constrained delegation feature. The middle tier can use the Kerberos adapter to authenticate to the Oracle Database without providing the user's forwarded Kerberos credentials.

  A user can authenticate to the middle tier using a non-Kerberos authentication mechanism. The middle tier authenticates to the backend Oracle Database using the Kerberos authentication mechanism on behalf of the user.

  See Also:

  Microsoft documentation for more information on the Microsoft Windows Server 2003 constrained delegation feature

Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security

This release includes the following new features:

• Enhanced Transparent Data Encryption

  Transparent Data Encryption enables you to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications.

  Oracle Advanced Security uses industry standard encryption algorithms including AES and 3DES to encrypt columns that have been marked for encryption. Key Management is handled by the database. SQL interfaces to Key Management hide the complexity of encryption.

  You can now encrypt entire tablespaces using Tablespace Encryption. All objects created in the encrypted tablespace are automatically encrypted. See "TDE Tablespace Encryption" in for more information.

  Transparent Data Encryption now enables you to use a hardware security module (HSM) to store the master encryption key. This allows for enhanced security. See "Using Hardware Security Modules with TDE" for more information.

  See Also:

  "Supported Encryption Algorithms" for more information on the encryption algorithms that are supported.

  Chapter 3, "Securing Stored Data Using Transparent Data Encryption" for more information on implementing and using Transparent Data Encryption.

• Kerberos authentication is more secure and manageable

  The Kerberos implementation now makes use of secure encryption algorithms like 3DES and AES in place of DES. This makes using Kerberos more secure. The Kerberos authentication mechanism in Oracle Database now supports the following encryption types:

  • DES3-CBC-SHA (DES3 algorithm in CBC mode with HMAC-SHA1 as checksum)

  • RC4-HMAC (RC4 algorithm with HMAC-MD5 as checksum)

  • AES128-CTS (AES algorithm with 128-bit key in CTS mode with HMAC-SHA1 as checksum)

  • AES256-CTS (AES algoritm with 256-bit key in CTS mode with HMAC-SHA1 as checksum)

  The Kerberos implementation has been enhanced to interoperate smoothly with Microsoft and MIT Key Distribution Centers.

  The Kerberos prinicipal name can now contain more than 30 characters. It is no longer restricted by the number of characters allowed in a database user name.

  See Also:

  Chapter 7, "Configuring Kerberos Authentication"