Oracle states its blockchain additions are the only mainstream blockchain database technologies in the world, with competitors such as AWS QLDB requiring entirely separate blockchain-only databases be used, and no other ‘regular’ relational database system having this on its roadmap either.
Blockchain, a cryptographic ledger proving the provenance of digital assets and most commonly known for its use in cryptocurrencies like BitCoin, has been keenly eyed by enterprises and analysts. Deloitte places it in their list of top five strategic imperatives in the 2020s. At the same time, IDC noted the high failure rate of blockchain implementations, largely due to the complexity of implementation. In other quarters, blockchain has been described anecdotally as “a solution in search of a problem.”
Oracle's announcement today hits all the right notes: the company has found a compelling use case that will resonate with Governments, businesses, and consumers alike while making it dead simple to implement and at a price nobody can argue with: free.
Specifically, Oracle is adding blockchain functionality to the next release of its mainstream database offering, all aimed at crypto-secure data management to prevent illicit changes to data that records important actions, assets, entities and documents, for example, contracts, property titles, payments, transfers, ledgers and account statements.
Currently, all existing data security technologies focus on keeping criminals out. This is why we use passwords, firewalls, encryption, and ranges of user privileges. Yet, as all IT departments know, the greatest security mechanisms in the world can only go so far against hackers - deliberate malicious actors - and corrupt, or compromised users - people with valid credentials who intentionally change records to steal assets or commit fraud. This is why phishing attacks to steal credentials will never go away, and nor will human greed and corruption. We don’t need to look far in the news to see Sony’s network compromised by fake Apple ID phishing emails, or for a Tesla engineer offered a cool half a million dollars to inject malware into the car.
Traditional security isn't designed to stop people from using valid credentials to perform actions they are permitted to do. After all, that’s known as “doing your job” - except when you’re not doing your job, or it’s not you using your credentials.
Such illicit changes can have dire consequences, including loss of assets, legal exposure, and loss of reputation. This is where Oracle crypto-security comes in, acknowledging vulnerabilities exploiting people, or people going rogue, will always be with us. Instead, Oracle is tackling the problem by limiting the damage malicious actors can cause.
The Oracle blockchain manifests in four ways, all of which will be provided within the Oracle database at no extra charge, and which can be adopted incrementally by organisations as they choose.
- Immutable tables to prevent illicit insider changes
- Blockchain tables to detect illicit hacker changes
- Distributed digest to detect authority-ordered illicit changes, and
- Data signing to prevent impersonator data fraud
Only illicit changes related to end-user identity require significant application changes; the others can be enabled immediately within the database, without requiring existing applications be modified.
Oracle Immutable Tables prevent illicit modifications by insiders using the database, that is, directly via SQL. All database interfaces that modify data are disallowed. New data can be added, but existing data cannot be changed or deleted by anybody using the database, including the database administrators themselves.
Practically, this is implemented through nothing more than an adjustment to the SQL data definition language (DDL), e.g.
CREATE IMMUTABLE TABLE tablename (...);
The table can still store relational data, or JSON, or line-of-business documents. It can store reference data, as well as ledgers. It continues to behave like any other table, except users cannot update or delete rows or change the table metadata. Applications adding data to the table continue to work as normal, but the Oracle database itself safeguards the table at the lowest level.
Lest database developers fear creating an immutable table for testing which they will never be able to get rid of, the system allows for idle timeframes. If the table is not touched for a period of time, the default being 16 days, then it can be dropped, and the enclosing database also dropped.
Going deeper, Oracle asked what if the database software to enforce immutability is itself bypassed by a hacker with a new vulnerability, or a rogue or compromised systems administrator. This led to the blockchain table which detects changes to data by computing and safely storing a small cryptographic digest of the data. If the data is changed then the cryptographic digest of the changed data will differ from the previous digest.
As with the immutable table, a blockchain table is effortlessly constructed with no application changes:
CREATE BLOCKCHAIN TABLE tablename (...);
Each row includes a field with a cryptographic digest, that is computed based on the row’s content, plus the cryptographic digest of the previous row - which in turn is based on the row before it, all the way to the first row. The row also includes an exact timestamp recording of when it was created.
The chained data can be validated at any time, confirming the cryptographic digest of each row still accurately computes according to its contents and the digest of the previous row. This can be verified within the database, but the greatest trust occurs because it can also be independently validated outside the database.
Oracle will make available a freely available, and, importantly, open-source, Java application which will read chained data and verify the crypto-digest without any reliance on the database’s computations or functionality itself. In practicality, a business won’t want Joe Public looking at data, but can engage independent data auditors to perform this verification, much as a financial auditor validates accounting records now.
You can see blockchain tables in action in this Oracle video:
Security is no simple task, and again Oracle notes illicit changes by sophisticated hackers or by authorities could be covered-up by illicitly changing a row and then rewriting the entire chain that comes after the rows. This means the cryptographic digests still make sense, even though the data has been adjusted.
To prevent, or detect such a large-scale cover-up, Oracle enables the cryptographic digest of the table itself to be freely published at any time, to any location, the owning organisation wishes. It can be digitally signed by the schema owner to ensure it cannot be later claimed to be fake. This digest could be published on a schedule or when important data is inserted. By comparing previously published digests to the current table contents a cover-up can be detected.
The digest itself contains no inferable information about the data within the table and is therefore safe to publicly distribute anywhere, including by email or REST or an independent public store or elsewhere. The further and wider the distribution, the more confidence one can have because the effort for a malicious actor to find and adjust all previously disclosed digests becomes vastly more difficult.
Oracle's fourth blockchain feature prevents data falsification by impersonators using an end-user’s name. For example, credentials stolen by a hacker, or by an insider using internal information to impersonate an end-user, or by a malicious developer bypassing an application’s credential checking mechanisms.
Data signing allows end-users to optionally cryptographically sign new data they insert. Previously listed features are trivial to implement within an organisation; this feature requires more work because it needs sophisticated end-users with a digital identity and a public certificate, and it requires application changes to implement the digital signing of data.
End users will sign data using their private key, which is never passed to the database. They will register a digital certificate containing their public key so the database can validate the signature, and this certificate ID is recorded in every row. The Oracle database can additionally countersign new data so users know their data was received by the database, essentially providing a receipt.
This data signing thus prevents a middle-tier from filtering certain data to prevent it from being recorded.
Oracle's blockchain technologies have been partially released in the January Oracle database update, with the remainder coming in April 2021. Organisations using the Oracle autonomous database will receive the update automatically, while on-premises and other customers will receive the features when they next upgrade on their own schedule. Organisations can then commence using these new facilities incrementally.
Immutable tables and blockchain tables are free features of the Oracle Converged Database. No additional licenses or software are needed to take advantage of these new table types, which are completely transparent to all new and existing applications. Oracle has back-ported immutable tables and blockchain tables to Oracle Database 19c (19.11 and 19.10, respectively). More details are available in My Oracle Support.
These blockchain features will prevent illicit changes made using the database at the SQL level, and allow detection of illicit changes that bypass the database.
By embedding blockchain into the core database engine and making it so simple to adopt, these features are now available to every industry. Some immediately apparent use cases include:
- Financial data - accounting, assets, payments, insurance
- Logistics data - distribution, supply chain, shipment, recalls
- Education data - degrees, certifications, professional history
- Government data - legal, trial, tax, permits, citizenship, title
- Corporate data - invoices, payments, contracts, employee records, intellectual property
What will you do with it? The possibilities are now endless, and with Oracle bringing blockchain to the mainstream, with no charge, there's no reason not to start.