If you can't read please download the document
Upload
neil
View
67
Download
8
Embed Size (px)
DESCRIPTION
Transparent Data Encryption OpenEdge 10.2B. Башкатов В.Г. [email protected] www.openedge.ru. Зачем необходимо шифрование базы данных?. Защита бизнеса (примерно 65% компаний становятся банкротами вследствие утраты 20% служебной информации) Соблюдение законов. - PowerPoint PPT Presentation
Citation preview
Transparent Data EncryptionOpenEdge 10.2B [email protected]
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
? ( 65% 20% )
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
?
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
TDE? SAT-II SAT-I
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
OpenEdge TDE: 10.2 Enterprise
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
TDE?
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
TDE?EncryptDecrypt&Key StorePolicy AreaRead I/OWrite I/OKey StoreDatabase Master KeyAdmin/User PassphraseManual/Automatic AuthenticationEncryption Policy AreaEncryption Policy () ()
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
: Database Master Key (DMK) DMK Passphrase (PROBKUP)
The Key StoreYour database backup is not complete until you have made an OS backup or copy of your keystore. (15525)?
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
Passphrase : 8 2048 : [a-zA-Z0-9]!@#$%^& *()_+-{}[]|\,./?;: : 1 : 2 :1 : 0 : :
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
DMK
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
The Encryption Policy , , LOB (SAT-II) (SAT-I)AI/BI (Encryption Policy Area) EPOLICY MANAGE, Data Admin, OpenEdge SQL DDL, , online
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
ID 0NULLNULL--1AESCBC128BINARY2AESCBC192BINARY3AESCBC256BINARY4DESCBC56BINARY5DES3CBC168BINARY7RC4ECB128BINARY
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
1: . SAT-IIe Encryption Policy Area:12,32;64 . f 1024e . PROSTRC ADD/ADDONLINE prostrct add mydb encrypt.st prostrct list mydb
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
2: .proutil -C enableencryption [-Cipher ] [-Autostart]
[-biencryption enable | disable][-aiencryption enable | disable]
BI (offline) .ks Encryption Policy Area Passphrase (User/Admin) DMK AI BI, AutostartManual/Automatic
!
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
. 3. EPOLICY MANAGEData AdminOpenEdge SQL DDL
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
3: Epolicy Manageproutil -C epolicy manage encrypt | cipher | rekey -Cipher < num >----------------------------------------------------------------------------------------------------------------------------------------------------------$ proutil sports -C epolicy manage area encrypt "TestArea1" Encryption policy setting for Area TestArea1 in Area 7 (15504)Cipher specification setting to AES_CBC_128 completed. (15491) ----------------------------------------------------------------------------------------------------------------------------------------------------------$ proutil sports -C epolicy scan area "TestArea1" OpenEdge Release 10.2B1B as of Thu Jul 30 19:00:21 EDT 2009AREA TestArea1 / 7 CURRENT AES_CBC_128 V:0 79 of 1784 blocks encrypted ----------------------------------------------------------------------------------------------------------------------------------------------------------$ proutil sports -C epolicy manage area update "TestArea1" OpenEdge Release 10.2B1B as of Thu Jul 30 19:00:21 EDT 2009AREA TestArea1 / 7 CURRENT AES_CBC_128 V:0 1705 of 1784 blocks encrypted ----------------------------------------------------------------------------------------------------------------------------------------------------------
(object-type = Area) SAT-I Table, Index, LOB SAT-II : Dump & LoadPROUTIL EPOLICY MANAGE UPDATE
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
3: Data Admin: Admin -> Security -> Encryption Policies -> Edit Encryption Policy SAT-II PUB :D&LEPOLICY UPDATE
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
3: OpenEdge SQL DDLCREATE TABLE PUB.enctab1 (encid int, encdes int, encdt varchar(25)) AREA "TestArea2" ENCRYPT WITH 'AES_CBC_192'; COMMIT; CREATE INDEX idx1ON PUB.ENCTAB1(encid ASC)AREA "TestArea2"ENCRYPT WITH 'AES_CBC_192';COMMIT; ALTER TABLE PUB.ENCTAB1 SET ENCRYPT WITH 'AES_CBC_128';COMMIT; ALTER TABLE PUB.ENCTAB1SET ENCRYPT REKEY;COMMIT;ALTER TABLE PUB.ENCTAB1SET DECRYPT;COMMIT;$ proutil sports -C epolicy manage table update ENCTAB1
SHOW ENCRYPT ON ALL [ TABLE | INDEX | LOB ];OBJECT TYPEOBJECT NAMEOBJECT TABLEOBJECT OWNEROBJECT IDOBJECT POLICY STATEOBJECT POLICY CIPHERSPECPOLICY VERSIONTABLEENCTAB1ENCTAB1PUB855CURRENTAES_CBC_1920INDEXIDX1ENCTAB1PUB2428CURRENTAES_CBC_1920AREATestArea17CURRENTAES_CBC_1280
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
3: Data Definition File (.df)ADD TABLE "ENCTAB1" AREA "TestArea2" DUMP-NAME "ENCTAB1"
ADD FIELD "ENCID" OF "ENCTAB1" AS integer FORMAT "->,>>>,>>9" INITIAL "?" POSITION 2 MAX-WIDTH 4 ORDER 10
ADD FIELD "ENCDT" OF "ENCTAB1" AS character FORMAT "x(8)" INITIAL "?" POSITION 4 MAX-WIDTH 25 LENGTH 0 ORDER 30 CASE-SENSITIVE
ADD INDEX "IDX1" ON "ENCTAB1" AREA "TestArea2" PRIMARY INDEX-FIELD "ENCID" ASCENDING
UPDATE TABLE "ENCTAB1" ENCRYPTION YES CIPHER-NAME AES_CBC_192
.PSCencpolicy=yescpstream=ibm866.0000000605
UPDATE TABLEENCRYPTION YESCIPHER-NAME DEFINITION TRAILERencpolicy=yes
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
TDE OpenEdge ReplicationTDE Source Target
BI Target Target
AI Target
Encryption Policy Area
(dbname.ks), Source
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
TDE OpenEdge ReplicationTDE OE Replication offline / online Target Encryption Policy Area Source Target Source Source (dbname.ks) Source Target:Source Target .Target
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
proutil -C epolicy manage object-type cipher object-name -Cipher 0proutil -C epolicy manage object-type update object-name TDEproutil -C disableencryption [-Passphrase] [ [-userid userid] [-password password]] BI ( offline) AI , .ks .ksbk.
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
Buffer Hit Rate (-B) (-B2) SAT-II ( + )
-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]
! OpenEdge 10.2B: Transparent Data Encryption [email protected]
?
* , , , , , . ! , - , , . , , ! ? OpenEdge 10.2B Transparent Data Encryption. , , 152-.
, , ., , , . OpenEdge TDE OpenEdge - , . , , . TDE.TDE : TDE , , , , . TDE , , , . , TDE . , , , . .
: TDE , SAT-I, , SAT-II. , .
: TDE , .. . , . , , . , TDE. -, , 10.2B, .-, TDE , , , OpenEdge Replication, . -, TDE Enterprise .
, TDE . , , . , , , , . - , , .. .., , . , Database Master Key (DMK). , . Passphrase, : Admin User Passphrase. , , . , TDE, , , , , .. . , Encryption Policy Area., , TDE. . , , .KS. TDE. . Database Master Key, . , . . .. TDE PROBKUP ? , , , . , , . , , PROBKUP. .. , . , . , ? , . , - , , , - . , . , . , Passphrase. Passphrase, , , , , TDE. Passphrase (User), , - . , , ... , Passphrase .Passphrase , , . , . Passphrase . Passphrase. . , . .. , , , Passphrase . , . .. , . Passphrase , . , :Admin Passphrase , .User Passphrase , . Admin/User Passphrase . , c Admin, User Passphrase. User Passphrase, , , Admin Passphrase. , , , - . , . .. , .
, Database Master Key . , .Advanced Encryption Standard(AES) - ( 128 , 128/192/256 ) DES(Data Encryption Standard)- , , . AES.RC4- , . . , SAT-I, , LOB SAT-II. . BI AI . Encryption Policy Area. .
, .. Epolicy Manage, Data Admin, OE SQL.
, , online. , 0 ., , . 128 . , , . DES (Triple DES) . , , , , . 56 ; . , DES, , , , PBE Passphrase. ? , , - , , 128 . : . , ,
Encryption Policy Area, e. Encryption Policy Area Schema Area. SAT-II. , Encryption Policy Area , , . , , 8 . (RPB) , . , , , , PRB BPC.
, PROUTIL ENABLEENCRYPTION , AI BI . After-Imaging , . online, BI AI BI , .. .
Schema Area, .
TDE , . . . , , SAT-I, , SAT-II. , , . , , , , . , . Proutil Epolicy Manage , , , . SAT-I encrypt TestArea1, , , AES-128. , , scan. , 79 1784. , , , .. , , . , , , - . , , , , . .. . , , UPDATE EPOLICY MANGE. , . , online, . Data Admin Edit Encryption Policy. online . , SAT-II, PUB , , Admin Passphrase.
.
. , OpenEdge SQL . , .. , LOB , SAT-II CREATE INDEX ENCRYPT WITH. OpenEdge SQL . SAT-II. ALTER TABLE . SET, ENCRYPT REKEY, , LOB . online. REKEY, . SET DECRYPT , , .
(.df) . 10.2B ENCRYPTION YES CIPHER-NAME . , Progress 10.2B, . encpolicy=yes, , Transparent Data Encryption. TDE OE Replication. : , .. SOURCE TARGET. TARGET SOURCE , , TARGET SOURCE . Before-image TARGET SOURCE . Before-image , online, , offline, Before-image. After-image SOURCE online, offline. TARGET After-image , After-image TARGET . Before-image After-image SOURCE TARGET . , SOURCE Before-image , TARGET . Encryption Policy Area BI AI
, After-image , , TARGET . , TCP/IP , , After-image . SOURCE . , SOURCE TARGET SOURCE .
TDE DISABLEENCRYPTION. , :.. .! , , ., , , update. . .
Disable encryption, , , , .