【翻译自mos文章】在Oracle 数据库中对SHA-2算法的支持

在Oracle 数据库中对SHA-2算法的支持

来源于：
Support for SHA-2 in Oracle Database (文档 ID 1315291.1)

适用于：
Oracle Security Service - Version 11.1.0.6 and later
Oracle Database - Enterprise Edition - Version 11.2.0.3 to 12.1.0.1 [Release 11.2 to 12.1]
Information in this document applies to any platform.

目标：
SHA-2（SHA-256RSA, SHA-512RSA）被Oracle database 支持么？

解决方案：
SHA-2是SHA-1的替代者，并提供了一个比SHA-1更长更安全的hash 算法。
当前NIST（注：NIST网址为http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html，NIST为美国国家标准与技术研究院的简称，直属美国商务部，从事物理、生物和工程方面的基础和应用研究，以及测量技术和测试方法方面的研究，提供标准、标准参考数据及有关服务，在国际上享有很高的声誉。）
已经核准了一个比SHA-2更新的替代者，该替代者称之为SHA-3，但是SHA-3并不是来源于SHA-2的任何方式。这主要是做有一个“备份”算法可用，即使当前没有发现SHA-2的任何漏洞。
Oracle 在各种特性上使用hash 算法。在本文中，我们将在下列组件中详细叙述SHA-2的使用。

SHA-2作为hash 算法来为使用SSL的安全证书签名

In the 11.1.0.7 and 11.2.0.2 Oracle releases, SHA-2 is not supported for SSL. SHA-2 support is introduced by the following unpublished Enhancement Request: BUG 8839166 - SUPPORT FOR SHA2 AT SSL LEVELStarting with release 11.2.0.3, this has been implemented. This feature is not backportable on any lower release.

SHA-2用来数据库的身份验证

The database supports the use of a multi-round SHA-512 password verifier as of version 12.1.0.2. For backward compatibility reasons, older verifiers are also generated, but the exclusive use of the SHA-512 verifier can be forced by setting the following sqlnet.ora parameter:SQLNET.ALLOWED_LOGON_VERSION_SERVER =12a请注意：这是对 与更早版本的db client进行互联的暗示，因此， you should do this only if earlier DB clients and DB links to/from earlier DB servers are not required. The DBA_USERS.PASSWORD_VERSIONS column shows the verifier types that exist for a given account. Check the relevant documentation about SHA-2 Support for 12C Password Verifier for more information. (http://docs.oracle.com/database/121/DBSEG/release_changes.htm#DBSEG164)

在客户的应用程序或者JAVAVM中使用SHA-2

The SHA-2 algorithm has been made available for general use in the DBMS_CRYPTO package as of database version 12c with the designation typ => dbms_crypto.HASH_SH512. For earlier database versions a Java Stored Procedure can be used for which an example is available in the Database Security Products community document How to calculate a SHA-2 (sha-512) hash value using a Java Stored Procedure.

SHA-2作为SSL_CIPHER_SUITES一部分来使用。

SHA2 was introduced in 12c for SSL_CIPHER_SUITES and a number of new Secure Sockets Layer Cipher Suites were added in version 12.1.0.1 that include SHA-2:SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384SSL_RSA_WITH_AES_128_CBC_SHA256SSL_RSA_WITH_AES_128_GCM_SHA256SSL_RSA_WITH_AES_256_CBC_SHA256SSL_RSA_WITH_AES_256_GCM_SHA384