Hi all
I need to encrypt some information, in the manner that only the owner can read it.
I'm imagining that if I can ask for a password it will be useful or if a phrase can be stored on an Usb and then only if that file are accessible the information can be decrypted.
Anyone have faced with a similar requirement?

Thank you in advance

Have you considered inputfield.password(). When user types the password, it causes the input field to be filled with ********.

Hi,

What you mean when you say encrypt some "information"?

There can be multiple ways to do that based on what you actually want to do.

I need to encrypt some information, in the manner that only the owner can read it.
I'm imagining that if I can ask for a password it will be useful or if a phrase can be stored on an Usb and then only if that file are accessible the information can be decrypted.
Miguel,

It is not clear, if you are encrypting the data or some flat files on the disk.

Refer to the threads for more ideas -

Encrypt/decrypt Password (http://www.baanboard.com/baanboard/showthread.php?t=26592)

Encrypted Text file (http://www.baanboard.com/baanboard/showthread.php?t=58584)

Or you can customize the session to display the data based on the current user id matching with the insert/update-user id or explore more on the Tools Role's Table Data Authorization.

Hi All,
Thank you for your inputs.
Joy,
Yes, I have tested that option, but it not covers my requirement to allow to access just to the owner of that information.
Bhushanchanda,
By some information I mean to encrypt just one field of a table. By some tax regulations, we need to report the whole payroll detail. That detail must be contained in our ERP. That detail will be imported to a set of customized tables.
The ugly part of this is: that sensitive information will be stored on flat tables and there is a possibility to be exposed (intentionally or unintentionally). To minimize that risk I was thinking to design some encrypting method to protect that information and just when the owner of that information runs their report, decrypt that information. The main idea is to protect that information even for the administrator of the ERP or the developers.
NPRao,
Yes. I have consider to manage the access to that data using table field permissions. The weak point of this is: that information will be accessible for administrators (DB and ERP) and for the developers. That will not warantee that the information will be exposed.

I have seen some biometrical solutions based on fingerprints that allows the access to some network services. I don´t know if there is a chance to implement a fingerprint reader instead to ask for a password when you need to run some specific report.

Also I have been adviced that Oracle have their own encrypt/decrypt method. Is there anybody that have used that feature?
It will be feasible to use with baan?


Thank you in advance.

reports are execute from where ?? LN !!

Hi,

If even the developers & adminstrators are not reliable then obviously you will need to go for a third paty security tool. Depends how critical your data is and how much amount you are ready to spend on it. If you implement in your Baan itself it will have numerous loop holes. I can suggest of getting a 3rd party application which will have two levels of authentication with a One Time Password(OTP) feature. Though I am not sure about other better choices.

If you want to go with a simplest way, tell your users to make their own encryption algorithm and store the information. Once they take the report they cam decrypt and know their data. This is too easy but not reliable. But yes, a way where no one will be blamed but the owner itself. :)

NPRao,
Yes. I have consider to manage the access to that data using table field permissions. The weak point of this is: that information will be accessible for administrators (DB and ERP) and for the developers. That will not warantee that the information will be exposed.
Miguel,

Oracle does provide Transparent Data Encryption (TDE). Refer to -

Transparent Data Encryption (http://www.oracle.com/technetwork/database/options/advanced-security/index-099011.html)

http://www.oracle.com/technetwork/database/security/tde-faq-093689.html

Oracle Database Encryption: Safeguarding Sensitive Data (http://www.vormetric.com/data-security-solutions/use-cases/oracle-database-encryption)

You can manage the table access security from Baan or Database grants to specific set of people.

Hi bhushanchanda,
Yes, I thinked that the user can send us the information encrypted, but we need to report the information decrypted with other sources of data that lives on Baan. That´s why we are considering to import that sensitive information to Baan.
About the third party tool, can you recommend some?

Hi NPRao,
Thank you for your input. I read the information from Oracle and sounds very good. My only fear is: Oracle refers as TDE in a pure Oracle environment;
It will work as well if we use Oracle as "only" DB? I mean, in Baan, we only use Oracle as DB and in fact, we never interact in the database environment. All this are managed by Baan. I this scenario, TDE will work as well?
Do you have any reference of the use of TDE in production?

I asked the same to Infor support, but no answer yet.

I suppose that the next step is to test TDE in our development environment.

Regards.

Hi,

What if it goes like this - -

If your users can do the encryption then - The cycle will be ->

User can encrypt the information and insert it in Baan. You give him reports with that encrypted sensitive information. Once he gets the report, he decrypts it and gets the required information. Done? Isn't it?

Hi NPRao,
Thank you for your input. I read the information from Oracle and sounds very good. My only fear is: Oracle refers as TDE in a pure Oracle environment;
It will work as well if we use Oracle as "only" DB? I mean, in Baan, we only use Oracle as DB and in fact, we never interact in the database environment. All this are managed by Baan. I this scenario, TDE will work as well?
Do you have any reference of the use of TDE in production?
Miguel,

The TDE is Oracle specific feature. I handled it with another Oracle product which used Oracle database. Securing/Encrypting the whole environment is a project in itself (all http connections have to be changed to https, disable telnet and allow only ssh), the standard Oracle listener has to be a changed to a encrypted listener, the table spaces have to be encrypted. I'm inclined to believe that from the BaaN database driver it should be a transparent change.

If you do not want to start a whole new project out of this task then another option is to check out the Oracle VPD's, which might not be as big of a project and does not need any new Oracle product licenses.

Using Oracle Virtual Private Database to Control Data Access (http://docs.oracle.com/cd/B28359_01/network.111/b28531/vpd.htm#DBSEG80081)

Restricting Data Access Using the Virtual Private Database (http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm)

Restricting Access with Oracle Virtual Private Database (https://docs.oracle.com/database/121/TDPSG/tdpsg_vpd.htm#TDPSG33431)

Virtual Private Database (Part 1) (http://allthingsoracle.com/virtual-private-database-part-1/)

Example of VPD implementation in Oracle 10g/11g (http://gjilevski.com/2011/02/01/example-of-vpd-implementation-in-oracle-10g11g/)

Hi,

I just stumbled upon the Cipher Functions in the latest Programmers Guide (10.4.0). According to the Guide these functions provide access to cipher functions (encription/decription) of the OpenSSL libray and are available from Tools Interface Version (TIV) 2000. So a porting set update may be neccessary :rolleyes: