File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Oracle/OAS and the fly likes How to protect sensitive data from database? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Oracle/OAS
Bookmark "How to protect sensitive data from database?" Watch "How to protect sensitive data from database?" New topic
Author

How to protect sensitive data from database?

neelesh kumar
Greenhorn

Joined: Oct 03, 2013
Posts: 29
I am building a small application which stores all the confidential data like bank account no., credit card no., etc of the user...I planned on using the transparent data encryption (TDE) provided by oracle...however the problem is that if I use it, the data can still be accessed by the database administrator which is not desired. What should be done? I read somewhere that application level encryption will solve this problem...I am not sure what that is.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
It means the application code would encrypt the data before it gets stored in the DB, and then decrypt it when it gets it out of the DB. The key would be in the app code (or maybe not even that, maybe part of it would need to be entered by the user, so that even if the code got compromised, the data could still not get decrypted).

I have to say, though - if you see the DB admins as a source of problems, you probably got bigger issues to worry about.


Ping & DNS - my free Android networking tools app
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3606
    
  60

Furthermore, Oracle does have mechanisms to protect sensitive data even from admins. There are different levels of admin privileges to start with (even a backup operator doesn't need to know the encryption key, for example), and also the password can be split among two (don't know if not even more) persons, so that they would have to work in tandem to get to the data (see http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf).

I'd suggest to read Oracle's documentation on the subject. Though you'll have to spend good amount of time to read all of them, I strongly believe that you'd need to invest much more time to get solution which would be safer than the one Oracle already has.
neelesh kumar
Greenhorn

Joined: Oct 03, 2013
Posts: 29
Using an application level encryption makes sense. Can someone tell me how to implement it? What if I build a Java applet that carries out the process of encryption and decryption on its own? In this way the admin can never know the data in the database since the data will be stored in an encrypted form which he cannot decrpyt., and the user too wont have to worry about decryption since it will automatically be done at client's side by the applet.....

Is this possible? How can it be done?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
Ugh... applets are too outdated and insecure to deploy these days. What's more, putting encryption keys into the applet makes them vulnerable to decompilation.
neelesh kumar
Greenhorn

Joined: Oct 03, 2013
Posts: 29
Is there any tutorial to implement application level encryption? Will be a great help!
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
Not sure what you're looking for - you encrypt data before storing it in the DB, and decrypt it after retrieving it. There isn't much to it but a knowledge of encryption in general.

If you've never used JCE -the standard Java API for encryption- start here: https://www.coderanch.com/how-to/java/SecurityFaq#encryption
 
jQuery in Action, 2nd edition
 
subject: How to protect sensitive data from database?
 
Similar Threads
javax.crypto.BadPaddingException: Given final block not properly padded
Storing a password to encrypt/decrypt sensitive data.
Password Encryption using java
Encryption at Application Layer
Multithreading