RE: Database Encryption and PCI issue.

[Craig Wright <Craig.Wright () bdo com au>]

The DBMS_OBFUSCATION_TOOLKIT package is used for encrypting data in the database, and it supports the DES and 3DES 
encryption algorithms.

DBMS_CRYPTO is likely to relace the DBMS_OBFUSCATION_TOOLKIT package in future versions of Oracle due to the increased 
functionality it provides - but being on 9i this is not a big issue for you.

The DBMS_OBFUSCATION_TOOLKIT package also supports MD5 and other hashes (yes collisions). So this can be used to hold a 
hash of the pin that is compared rather then the pin itself. You could also create the equivalent of a HMAC MD5 hash 
having a keyed value for additional protection.

The DBMS_OBFUSCATION_TOOLKIT package includes tools for generating random material that can be used for encryption 
keys, but it does not provide a mechanism for maintaining them (see OracleR Database Advanced Security Administrator's 
Guide).

DBMS_CRYPTO includes support for Public Key Cryptographic Standard (PKCS) #5 and more. It was introduced in 10g. Maybe 
it is time to upgrade?

Regards,
Craig Wright


Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mohamed Farid
Sent: Tuesday, 12 February 2008 6:57 PM
To: security-basics () securityfocus com
Cc: Mohamed Farid
Subject: Database Encryption and PCI issue.

Dear All :
We are in our way to have a PCI DSS complaint - and we are facing a
challenge to have encryption with our Database Systems.

The problem is that the Application we are using is using the PIN as a
primary key in the DB tables - and this will make it very hard to
encrypt the PIN columns ...

Anyway - we are using Oracle 9i and the server is connected to HP SAN.
Can anyone advise us: what are the systems we can go after to solve
this?
Is there any technique or 3rd party applications can help us to overcome
this?

M Farid

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
This e-mail (including attachments) is classified as Mediterranean Smart Cards Company confidential and proprietary 
information
The recipient hereby is committed to hold in strict confidence the contents of this (e-mail, document, and information) 
and not to disclose to any third party without the prior written consent of Mediterranean Smart Cards Company.
Recipient will be held liable for any unauthorized disclosure.
It is intended solely for the addressee. Unless you are the addressee, you may not read, copy, use or store this e-mail 
in any way, or permit others to.
If you have received it in error, please notify the sender by return e-mail and delete the message in its entirety, 
including any attachments
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *