Product: Oracle Database 19c Transparent Data Encryption (TDE)
From the Chapter 10 of Advanced Security Guide, we know for the supported block ciphers "table keys are used in cipher block chaining (CBC) operating mode, and the tablespace keys are used in cipher feedback (CFB) operating mode."
https://docs.oracle.com/en/database/oracle/oracle-database/19/asoag/frequently-asked-questions-about-transparent-data-encryption.html Question 1:
Both modes of operation require an Initialization Vector to be specified however TDE does not allow the DBA to specify an IV. What IV does TDE actually use? Is it psuedorandom or a fixed value such as all zeros?
Question 2:
If the IV is fixed, it would leak information, e.g. for CBC mode it makes it deterministic, so the same plaintext always maps to the same ciphertext. So, it is possible to enhance TDE to allow an IV to be specified in the same way that DBMS_CRYPTO currently does?
Thanks
I got this from our security PM Russ Lowenthal.
It is a random value created using multiple different sources of entropy. Oracle does not write our own encryption algorithms for this, we license the RSA encryption suite. Our implementation is certified under both Common Criteria (ISO 15408) and FIPS 140-2.
I highly recommend his regular Office Hours sessions