DBMS_CRYPTO
Dbms_crypto provides a modern and effectual
ability to encrypt and decrypt data using any of
the following cryptographic algorithms:
-
Data Encryption Standard (DES)
-
Triple DES (3DES, 2-key and 3-key)
-
Advanced Encryption Standard (AES)
-
MD5, MD4, and SHA-1 cryptographic hashes
-
MD5 and SHA-1 Message Authentication Code
(MAC)
Be
aware that effective dbms_crypto usage
requires a general level of security familiarity
and/or expertise. Key management is entirely
programmatic, thus the application, or caller of
dbms_crypto, must supply the encryption
key. Furthermore, the application is responsible
for storing and retrieving keys securely. Common
options for applications storing keys include
within the database, on the operating system,
and user self-managed. Of course, one can always
rely instead upon Oracle’s encrypted tables and
tablespaces and their inherently automatic key
management.
Dbms_obfuscation_toolkit usage should
be replaced by the newer dbms_crypto
package, available in 10g and later,
which offers more modern and secure
cryptographic algorithms as well as support
for more database data types.
There are a few enumerated
constants that one must know to use this
package:
-- Hash Functions
HASH_MD4
CONSTANT PLS_INTEGER
:=
1;
HASH_MD5
CONSTANT PLS_INTEGER
:=
2;
HASH_SH1
CONSTANT PLS_INTEGER
:=
3;
-- MAC Functions
HMAC_MD5
CONSTANT PLS_INTEGER
:=
1;
HMAC_SH1
CONSTANT PLS_INTEGER
:=
2;
-- Block Cipher
Algorithms
ENCRYPT_DES
CONSTANT PLS_INTEGER
:=
1;
-- 0x0001
ENCRYPT_3DES_2KEY
CONSTANT PLS_INTEGER
:=
2;
-- 0x0002
ENCRYPT_3DES
CONSTANT PLS_INTEGER
:=
3;
-- 0x0003
ENCRYPT_AES
CONSTANT PLS_INTEGER
:=
4;
-- 0x0004
ENCRYPT_PBE_MD5DES CONSTANT PLS_INTEGER
:=
5;
-- 0x0005
ENCRYPT_AES128
CONSTANT PLS_INTEGER
:=
6;
-- 0x0006
ENCRYPT_AES192
CONSTANT PLS_INTEGER
:=
7;
-- 0x0007
ENCRYPT_AES256
CONSTANT PLS_INTEGER
:=
8;
-- 0x0008
-- Block Cipher Chaining Modifiers
CHAIN_CBC
CONSTANT PLS_INTEGER
:=
256;
-- 0x0100
CHAIN_CFB
CONSTANT PLS_INTEGER
:=
512;
-- 0x0200
CHAIN_ECB
CONSTANT PLS_INTEGER
:=
768;
-- 0x0300
CHAIN_OFB
CONSTANT PLS_INTEGER
:=
1024;
-- 0x0400
-- Block Cipher Padding Modifiers
PAD_PKCS5
CONSTANT PLS_INTEGER
:=
4096;
-- 0x1000
PAD_NONE
CONSTANT PLS_INTEGER
:=
8192;
-- 0x2000
PAD_ZERO
CONSTANT PLS_INTEGER
:= 12288;
-- 0x3000
PAD_ORCL
CONSTANT PLS_INTEGER
:= 16384;
-- 0x4000
-- Stream Cipher
Algorithms
ENCRYPT_RC4
CONSTANT PLS_INTEGER
:=
129;
-- 0x0081
-- Convenience Constants for Block Ciphers
DES_CBC_PKCS5
CONSTANT PLS_INTEGER
:= ENCRYPT_DES
+ CHAIN_CBC
+ PAD_PKCS5;
DES3_CBC_PKCS5
CONSTANT PLS_INTEGER
:= ENCRYPT_3DES
+ CHAIN_CBC
+ PAD_PKCS5;
AES_CBC_PKCS5
CONSTANT PLS_INTEGER
:= ENCRYPT_AES
+
CHAIN_CBC
+ PAD_PKCS5;
Below
are the dbms_crypto procedures and
functions but remember, security and especially
this package are not for novices or security
neophytes. If one loses a key or improperly
implements any factors, the data will almost
surely be unrecoverable.
Decrypt
is an overloaded procedure for decrypting the
data with the following parameters and defaults.
|
Argument
|
Type
|
In / Out
|
Default Value
|
|
DS
|
BLOB | CLOB
|
IN | OUT
|
|
|
SRC
|
BLOB
|
IN
|
|
|
TYP
|
PLS_INTEGER
|
IN
|
|
|
KEY
|
RAW
|
IN
|
|
|
IV
|
RAW
|
IN
|
NULL
|
Table 6.20:
Decrypt Parameters
Decrypt
is also an overloaded function for decrypting
the date with the following parameters and
defaults, returning a RAW value.
|
Argument
|
Type
|
In / Out
|
Default Value
|
|
SRC
|
BLOB
|
IN
|
|
|
TYP
|
PLS_INTEGER
|
IN
|
|
|
KEY
|
RAW
|
IN
|
|
|
IV
|
RAW
|
IN
|
NULL
|
Table 6.21:
Additional Decrypt Parameters
Encrypt is an overloaded
procedure for encrypting the data with the
following parameters and defaults.
|
Argument
|
Type
|
In / Out
|
Default Value
|
|
DST
|
BLOB | CLOB
|
IN | OUT
|
|
|
SRC
|
BLOB
|
IN
|
|
|
TYP
|
PLS_INTEGER
|
IN
|
|
|
KEY
|
RAW
|
IN
|
|
|
IV
|
RAW
|
IN
|
NULL
|
Table 6:22:
Encrypt Parameters
Encrypt
is also an overloaded function for encrypting
the data with the following parameters and
defaults, returning a RAW value.
|
Argument
|
Type
|
In / Out
|
Default Value
|
|
SRC
|
BLOB
|
IN
|
|
|
TYP
|
PLS_INTEGER
|
IN
|
|
|
KEY
|
RAW
|
IN
|
|
|
IV
|
RAW
|
IN
|
NULL
|
Table 6.23:
Additional Encrypt Parameters
Hash is
a function that accepts an input string and
returns a unique identifier based upon the value
as a RAW value.
|
Argument
|
Type
|
In / Out
|
Default Value
|
|
SRC
|
RAW |BLOB | CLOB
|
IN
|
|
|
TYP
|
PLS_INTEGER
|
IN
|
|
Table 6.24:
Hash
Parameters
MAC for
message authentication code is similar to hash,
but it is based off a supplied key as well as
the data. It also returns the result via a RAW
value.
|
Argument
|
Type
|
In / Out
|
Default Value
|
|
SRC
|
RAW |BLOB | CLOB
|
IN
|
|
|
TYP
|
PLS_INTEGER
|
IN
|
|
|
KEY
|
RAW
|
IN
|
|
Table 6.25:
Mac Parameters
The remaining functions
provide simple random number generation, and
include:
DBMS_CRYPTO.RANDOMBYTES (number_bytes
IN POSITIVE) RETURN RAW;
DBMS_CRYPTO.RANDOMINTEGER
RETURN BINARY_INTEGER;
DBMS_CRYPTO.RANDOMNUMBER
RETURN NUMBER;
