Native Network Encryption (NNE)

Native Network Encryption in oracle

Table of Contents

What is Native Network Encryption (NNE) ?

Understand Oracle Database Native Network Encryption & Data Integrity

  • Encrypting network data provides data privacy and protections from hackers, so that unauthorized parties cannot view plaintext data as it passes over the network.
  • Oracle Database also provides protection against two forms of active attacks eg.  Data Modification and replay attacks

Nowadays, why Native Network Encryption (NNE) is required?

How to read / hake oracle data from network packets

Key points keep in Mind.

  • Now NNE is not a part of Advanced Security Option (ASO)
  • NNE use to encrypt the Data in transit (data flow on the network)
  • The purpose of NNE is “Actual data encryption/Protection” and “Maintain data integrality” is on the top. 

All configurations need to be set in Sqlnet.ora, Data Encryption and Integrity Parameters

Oracle Database Native Network Encryption

  • SQLNET.ENCRYPTION_SERVER=REQUIRED
  • SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)
  • SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
  • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256)

Note : sqlnet.ora is playing greate role for NNE and Data encryption at rest.

How to check NNE is enabled?

Configure parameters in Sqlnet.ora

  • SQLNET.ENCRYPTION_SERVER=REQUIRED
  • SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)
  • SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
  • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256)

Detail of encryption parameters

Data Encryption and Integrity Parameters
Oracle provides data and integrity parameters that you can set in the sqlnet.ora file.

About the Data Encryption and Integrity Parameters
The data encryption and integrity parameters control the type of encryption algorithm you are using.
SQLNET.ENCRYPTION_SERVER
The SQLNET.ENCRYPTION_SERVER parameter specifies the encryption behavior when a client or a server acting as a client connects to this server.
SQLNET.ENCRYPTION_CLIENT
The SQLNET.ENCRYPTION_CLIENT parameter specifies the encryption behavior when this client or server acting as a client connects to a server.
SQLNET.CRYPTO_CHECKSUM_SERVER
The SQLNET.CRYPTO_CHECKSUM_SERVER parameter specifies the data integrity behavior when a client or another server acting as a client connects to this server.
SQLNET.CRYPTO_CHECKSUM_CLIENT
The SQLNET.CRYPTO_CHECKSUM_CLIENT parameter specifies the desired data integrity behavior when this client or server acting as a client connects to a server.
SQLNET.ENCRYPTION_TYPES_SERVER
The SQLNET.ENCRYPTION_TYPES_SERVER parameter specifies encryption algorithms this server uses in the order of the intended use.
SQLNET.ENCRYPTION_TYPES_CLIENT
The SQLNET.ENCRYPTION_TYPES_CLIENT parameter specifies encryption algorithms this client or the server acting as a client uses.
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
The SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter specifies data integrity algorithms that this server or client to another server uses, in order of intended use.
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
The SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter specifies a list of data integrity algorithms that this client or server acting as a client uses.

Verify / Inspect Network Traffic After Enabling NNE

Before setup parameter

[oracle@localhost ~]$ cat /opt/oracle/homes/OraDBHome21cXE/network/admin/sqlnet.ora
# sqlnet.ora Network Configuration File: /opt/oracle/homes/OraDBHome21cXE/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

#######encryption setting############
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /opt/oracle/wallet/tde)
)
)

SQL> select network_service_banner
from v$session_connect_info
where sid in (select distinct sid from v$mystat); 

NETWORK_SERVICE_BANNER
——————————————————————————–
Oracle Bequeath NT Protocol Adapter for Linux: Version 21.0.0.0.0 – Production
Authentication service for Linux: Version 21.0.1.0.0 – Production
Encryption service for Linux: Version 21.0.1.0.0 – Production
Crypto-checksumming service for Linux: Version 21.0.1.0.0 – Production

SQL>

After Setup parameters in sqlnet.ora

[oracle@localhost ~]$ cat /opt/oracle/homes/OraDBHome21cXE/network/admin/sqlnet.ora
# sqlnet.ora Network Configuration File: /opt/oracle/homes/OraDBHome21cXE/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

#######encryption setting############
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /opt/oracle/wallet/tde)
)
)

##SQLNET.ENCRYPTION_SERVER=REQUIRED
##SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)
##SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
##SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256)

## Oracle Database Native Network Encryption
sqlnet.encryption_server=accepted
sqlnet.encryption_client=requested
sqlnet.encryption_types_server=(RC4_40)
sqlnet.encryption_types_client=(RC4_40)

### Oracle Database Network Data Integrity
## ASO Checksum
sqlnet.crypto_checksum_server=requested
sqlnet.crypto_checksum_client=requested
sqlnet.crypto_checksum_types_server = (SHA256)
sqlnet.crypto_checksum_types_client = (SHA256)
[oracle@localhost ~]$

SQL> select network_service_banner
from v$session_connect_info
where sid in (select distinct sid from v$mystat); 

NETWORK_SERVICE_BANNER
——————————————————————————–
Oracle Bequeath NT Protocol Adapter for Linux: Version 21.0.0.0.0 – Production
Authentication service for Linux: Version 21.0.1.0.0 – Production
Encryption service for Linux: Version 21.0.1.0.0 – Production
AES256 Encryption service adapter for Linux: Version 21.0.1.0.0 – Production
Crypto-checksumming service for Linux: Version 21.0.1.0.0 – Production
SHA256 Crypto-checksumming service adapter for Linux: Version 21.0.1.0.0 – Production

6 rows selected.

For more information

See the oracle document