Skip to Main Content
  • Questions
  • Oracle TDE - AES encryption mode of operation

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Owen.

Asked: July 08, 2021 - 10:01 am UTC

Last updated: July 28, 2021 - 2:04 am UTC

Version: 19c

Viewed 100+ times

You Asked

Product: Oracle Database 19c Transparent Data Encryption (TDE)

From the Chapter 10 of Advanced Security Guide, we know for the supported block ciphers "table keys are used in cipher block chaining (CBC) operating mode, and the tablespace keys are used in cipher feedback (CFB) operating mode."

https://docs.oracle.com/en/database/oracle/oracle-database/19/asoag/frequently-asked-questions-about-transparent-data-encryption.html

Question 1:

Both modes of operation require an Initialization Vector to be specified however TDE does not allow the DBA to specify an IV. What IV does TDE actually use? Is it psuedorandom or a fixed value such as all zeros?

Question 2:

If the IV is fixed, it would leak information, e.g. for CBC mode it makes it deterministic, so the same plaintext always maps to the same ciphertext. So, it is possible to enhance TDE to allow an IV to be specified in the same way that DBMS_CRYPTO currently does?

Thanks

and we said...

I got this from our security PM Russ Lowenthal.

It is a random value created using multiple different sources of entropy. Oracle does not write our own encryption algorithms for this, we license the RSA encryption suite. Our implementation is certified under both Common Criteria (ISO 15408) and FIPS 140-2.

I highly recommend his regular Office Hours sessions


More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database