Open source software security

Is Oracle Data Encrypted on the Wire?

30 November -0001

Question: Is data passed to/from an Oracle database secured?

Importance: The answer to this question is critical if you store any sensitive data in your Oracle database. While the data may be secure inside the database, as soon as an application requests access to the data it is transmitted over TCP/IP. This means your data could be exposed as it is moved from the database to the application.

Methodology: To find the answer to this question I used the freely available SQL Developer from Oracle and Wireshark. SQL Developer is a GUI front end that allows you to browse databases and tables, as well as write and execute SQL statements and review the results. Wireshark is a network sniffer that listens to network traffic and collects the packets for analysis.

Results: After opening Wireshark and starting a capture session, then opening SQL Developer and connecting to a remote database server it was obvious that the only data protected over the network was the password. According to David Litchfield in 'The Oracle Hacker's Handbook' (2007, Wiley Publishing, Inc.) the server generates a 'secret number' using the user's password hash and a timestamp. This number is then encrypted using the user's password hash and sent to the client as AUTH_SESSKEY. The client then uses the user's password to decrypt the secret number, which is finally used to encrypt the users password (AUTH_PASSWORD) which is sent back to the server. The server decrypts the password using the secret number and tests it against the Oracle authentication.

This is the only part of the communication that is obscured. All queries sent to the server and all result sets returned pass over the wire in clear text. Thus, if you request a credit card number or a social security number or any other piece of sensitive data from the database it is passed back as plain text. This means that despite any other precautions an attacker can intercept sensitive data simply by listening to a connection involved in the communication between the client and the server.

Furthermore, the schema name, user name, and all other connection details are passed in the clear over the wire. This simplifies brute forcing attempts against the database since anyone intercepting data on the wire can collect lists of valid schemas and usernames.

Oracle does offer a security module that allows for the encryption of data in transit, but this requires an extra license. Default installations won't have this capability enabled, exposing your vital data on the network as SQL result sets are passed. Reconstructing this data is trivial since it reveals not only the data, but also the query used to retrieve it (which could reveal additional information about the data, the database structure and other details).