在Oracle 数据库中对SHA-2算法的支持
来源于:
Support for SHA-2 in Oracle Database (文档 ID 1315291.1)
适用于:
Oracle Security Service - Version 11.1.0.6 and later
Oracle Database - Enterprise Edition - Version 11.2.0.3 to 12.1.0.1 [Release 11.2 to 12.1]
Information in this document applies to any platform.
目标:
SHA-2(SHA-256RSA, SHA-512RSA)被Oracle database 支持么?
解决方案:
SHA-2是SHA-1的替代者,并提供了一个比SHA-1更长更安全的hash 算法。
当前NIST(注:NIST网址为http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html,NIST为美国国家标准与技术研究院的简称,直属美国商务部,从事物理、生物和工程方面的基础和应用研究,以及测量技术和测试方法方面的研究,提供标准、标准参考数据及有关服务,在国际上享有很高的声誉。)
已经核准了一个比SHA-2更新的替代者,该替代者称之为SHA-3,但是SHA-3并不是来源于SHA-2的任何方式。这主要是做有一个“备份”算法可用,即使当前没有发现SHA-2的任何漏洞。
Oracle 在各种特性上使用hash 算法。在本文中,我们将在下列组件中详细叙述SHA-2的使用。
SHA-2作为hash 算法来为使用SSL的安全证书签名
In the 11.1.0.7 and 11.2.0.2 Oracle releases, SHA-2 is not supported for SSL. SHA-2 support is introduced by the following unpublished Enhancement Request:
BUG 8839166 - SUPPORT FOR SHA2 AT SSL LEVEL
Starting with release 11.2.0.3, this has been implemented. This feature is not backportable on any lower release.
SHA-2用来数据库的身份验证
The database supports the use of a multi-round SHA-512 password verifier as of version 12.1.0.2.
For backward compatibility reasons, older verifiers are also generated,
but the exclusive use of the SHA-512 verifier can be forced by setting the following sqlnet.ora parameter:
SQLNET.ALLOWED_LOGON_VERSION_SERVER =12a
请注意:这是对 与更早版本的db client进行互联的暗示,
因此, you should do this only if earlier DB clients and DB links to/from earlier DB servers are not required.
The DBA_USERS.PASSWORD_VERSIONS column shows the verifier types that exist for a given account.
Check the relevant documentation about SHA-2 Support for 12C Password Verifier for more information.
(http://docs.oracle.com/database/121/DBSEG/release_changes.htm#DBSEG164)
在客户的应用程序或者JAVAVM中使用SHA-2
The SHA-2 algorithm has been made available for general use in the DBMS_CRYPTO package as of database version 12c with the designation typ => dbms_crypto.HASH_SH512.
For earlier database versions a Java Stored Procedure can be used for which an example is available in the Database Security Products community document How to calculate a SHA-2 (sha-512) hash value using a Java Stored Procedure.
SHA-2作为SSL_CIPHER_SUITES一部分来使用。
SHA2 was introduced in 12c for SSL_CIPHER_SUITES and a number of new Secure Sockets Layer Cipher Suites were added in version 12.1.0.1 that include SHA-2:
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384