Encryption of non-relational files is a well-known art in the field of cryptography. These cryptosystems allow a user to digitally encrypt information stored in a non-relational format such as flat files residing on an operating system. This is accomplished by encrypting and decrypting the entire non-relational file with a single encryption key and storing that single encryption key offline in a secure format.
Traditional encryption is designed to efficiently encrypt large streams of contiguous data. The same concepts do not apply as well to relational data. Encryption of relational data requires fast encryption and decryption of data based on random access to various records of the file. Emphasis for relational data must be placed on decreasing the number of decryptions occurring on small pieces of data. To understand this, realize that databases are designed to provide very quick searching of records. This means that encryption of data in databases must be performed in a way that facilitates fast searching on the records. This feature of fast searching is one of the strength of databases, and applying traditional methods of encrypting non-relational files result in poor performance. Another complication with encrypting data is storing the encryption keys securely. With encryption of non-relational files, entire files are encrypted and the need for managing large numbers of keys for the same files is minimal. Within non-relational data, the emphasis on ownership of a file is on a single individual. This allows traditional encryption systems to ignore the problem of allowing multiple users access to the same encrypted file. With databases, ownership of data within a column is not clearly defined. Databases are designed to allow multiple users to access the same data. Thus there is need of a way of securing the encryption keys for a column where multiple users can encrypt and decrypt the data.
This invention relates in general to encryption of data in relational database management systems. In particular, this invention relates to a system and method for securely encrypting data in a column and managing the keys used to encrypt the data, and relates to cryptographic infrastructure that provides database column and row-level encryption within the tables of a database. The invention provides transparent encryption functionality that allows the user, usually a database administrator or developer, to encrypt data within a database without implementing details. As a low level interface, the invention allows a PL/SQL programmer to use encryption as he or she sees fit. This allows Oracle developers to write proprietary encryption systems for use in Oracle. This low level interface is similar in concept to the DBMS_OBFUSCATION_TOOLKIT. The present invention, however, provides the following improvements:
The invention provides over 25 algorithms including public key and symmetrical key algorithms, hashing functions, and stream and block cipher. The prior art, in particular Oracle's DBMS_OBFUSCATION_TOOLKIT, only supports Data Encryption Standard (DES) and MD5.
The invention provides variable length keys to make encryption as strong or as fast as desirable. The prior art is restricted to 56, 112, and 168 bit keys for DES only.
The invention provides a graphical console that allows the user to create working code by pointing and clicking, and provides fine-grained encryption functionality allowing the user to choose the block modes, initialization vectors, and key lengths of the algorithms to use. The prior art only supports CBC mode.
The invention provides for the encryption of NUMBER, VARCHAR, CHAR, RAW, LONG, and LOB data types. The prior art only encrypts RAW and VARCHAR data types.
The invention supports strong generation of random numbers for use as keys. The prior art, in particular Oracle8i DBMS_OBFUSCATION_TOOLKIT, provides no method of generating random numbers.