Using data integrity guarantees that the packets will not be altered during transmission and reception. Data integrity can be used against replay attacks and MITM attacks, where the attacker may send crafted packets to obtain or modify different information from the database. Oracle provides SHA1 and MD5 hash functions for data integrity. Similarly with network encryption, if you want to use data integrity, an OAS license must be purchased. In the following recipe we will configure SHA1 for data integrity and we will demonstrate its utility against the Oracle Hijacking scenario.
- Open the
$ORACLE_HOME/network/admin/sqlnet.oraconfiguration file onnodeorcl1. Similarly with network encryption, data integrity also has desired checksum behavior which can be specified by usingSQLNET.CRYPTO_CHECKSUM_SERVER. Set the value torequiredas follows:SQLNET.CRYPTO_CHECKSUM_SERVER = required - Next set the integrity hash function on the server side by setting the
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVERas follows:SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1) - On the client side open
$ORACLE_HOME/network/admin/sqlnet.sqland add the desired checksum behavior by setting theSQLNET.CRYPTO_CHECKSUM_CLIENTparameter torequiredas follows:SQLNET.CRYPTO_CHECKSUM_CLIENT=required - Next, set the integrity hash function on the client side by setting the
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA1)parameter as follows:SQLNET.CRYPTO_CHECKSUM_CLIENT = required
MD5 and SHA1, used for data integrity, are cryptographic hash functions. A hash function accepts a variable length block of data and generates a fixed length string. SHA1 is relatively stronger than MD5 hence it should be the preferred method for data integrity.
These functions are used mainly for generating checksums for data integrity, but may have other applications such as digital signature and message authentication codes (MAC). Any change to the input data will always generate a different hash and implicitly will be a sign of data alteration. The input string is called message and the resulting hash is called message digest.
The sequence of establishing a connection with data integrity is the same as for network encryption, as presented in the schema seen in the previous recipe. The desired behavior combinations for client and server are also the same as for network encryption, presented in the table seen in the How it works... section of the previous recipe.
If we replay the Oracle Hijacking scenario only with data integrity on, and without encryption, we will be able to block the connection hijacking. This is because the packets are practically crafted packets on the attacking node, and will not have the desired checksum:
[root@mitmattack pythonproxy_0.1]# python pytnsproxy.py 10.241.132.22 connected: SYSTEM:142DD569C7CCC5519F306B235BBD9C478216AC9B554018194996DD4BF9DFE4DC46259F7A09EEEA87FB6529F9731960F7:6FA6E54962BACDB76E4E:F03F95913537D7DD2AD22928D8AB237BE5156B6DCD9AC102DD7723780E71048D41A1D4B3403DCA1269412E97AA561DA1:5D74BE45545726709DD51BAFF0479D0765A940F1058C5BA8EA75BC14B7846A22:10.241.132.218:1521:10.241.132.22::