DBMS CRYPTO Package used for Encrypted and decrypted data

DBMS CRYPTO Package

It is used to encrypted and decrypted the data into the database.

DBMS CRYPTO package enables encryption and decryption for common Oracle datatypes,
including RAW and large objects (LOBs), such as images and sound. Specifically, it supports BLOBs and CLOBs

{ORACLE_HOME}/rdbms/admin/dbmsobtk.sql;
{ORACLE_HOME}/rdbms/admin/prvtobtk.plb;

Following cryptographic algorithms are supported:

Data Encryption Standard (DES), Triple DES (3DES, 2-key)
Advanced Encryption Standard (AES)
SHA-1 Cryptographic Hash
SHA-1 Message Authentication Code (MAC)

Note:
DES is no longer recommended by the National Institute of Standards and Technology (NIST).
Usage of SHA-1 is more secure than MD5.
Keyed MD5 is not vulnerable.
Syntax:

DBMS_CRYPTO.ENCRYPT(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL)
RETURN RAW;

DBMS_CRYPTO.DECRYPT(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL)
RETURN RAW;

Parameters in Syntax:
Src: means provide the source value in raw datatype. UTL_RAW.CAST_TO_RAW (p_plainText)
Typ:
Encryption_type: PLS_INTEGER := DBMS_CRYPTO.ENCRYPT_DES
+ DBMS_CRYPTO.CHAIN_CBC
+ DBMS_CRYPTO.PAD_PKCS5;
ENCRYPT_DES: Data Encryption Standard. Block cipher. Uses key length of 56 bits.
ENCRYPT_3DES_2KEY: Data Encryption Standard. Block cipher. Operates on a block 3 times with 2 keys. Effective key length of 112 bits.
ENCRYPT_3DES: Data Encryption Standard. Block cipher. Operates on a block 3 times.
ENCRYPT_AES128: Advanced Encryption Standard. Block cipher. Uses 128-bit key size.
ENCRYPT_AES192: Advanced Encryption Standard. Block cipher. Uses 192-bit key size.
ENCRYPT_AES256: Advanced Encryption Standard. Block cipher. Uses 256-bit key size.
ENCRYPT_RC4: Stream cipher. Uses a secret, randomly generated key unique to each session.
CHAIN_ECB:Electronic Codebook. Encrypts each plaintext block independently.
CHAIN_CBC: Cipher Block Chaining. Plaintext is XORed with the previous ciphertext block before it is encrypted.
CHAIN_CFB: Cipher-Feedback. Enables encrypting units of data smaller than the block size.
CHAIN_OFB: Output-Feedback. Enables running a block cipher as a synchronous stream cipher. Similar to CFB, except that n bits of the previous output block are moved into the right-most positions of the data queue waiting to be encrypted.
PAD_PKCS5: Provides padding which complies with the PKCS #5: Password-Based Cryptography Standard
PAD_NONE: Provides option to specify no padding. Caller must ensure that blocksize is correct, else the package returns an error.
PAD_ZERO: Provides padding consisting of zeroes.

Key: Is the key with which you encryption and decryption the data with algorithm.It need to be save in high security.

iv: Default NuLL

Conversion Rules

Convert VARCHAR2 to RAW, use the UTL_I18N.STRING_TO_RAW function:
UTL_I18N.STRING_TO_RAW (string, 'AL32UTF8');

convert RAW to VARCHAR2, use the UTL_I18N.RAW_TO_CHAR function:
UTL_I18N.RAW_TO_CHAR (data, 'AL32UTF8');

Storing the package in the Database. With wrap utility you can hide you plsql code from developer and other teams.
wrap iname=C:\package.sql
 
For giving grant to other user for using dbms_crypto package
SQL> Grant execute on dbms_crypto to ;
 
You can see use the following package and check the code:

CREATE OR REPLACE PACKAGE enc_dec
AS
FUNCTION encrypt (p_plainText VARCHAR2) RETURN RAW DETERMINISTIC;
FUNCTION decrypt (p_encryptedText RAW) RETURN VARCHAR2 DETERMINISTIC;
END;
/

CREATE OR REPLACE PACKAGE BODY enc_dec
AS
encryption_type PLS_INTEGER := DBMS_CRYPTO.ENCRYPT_DES
+ DBMS_CRYPTO.CHAIN_CBC
+ DBMS_CRYPTO.PAD_PKCS5;
/*
ENCRYPT_DES is the encryption algorithem. Data Encryption Standard. Block cipher.
Uses key length of 56 bits.
CHAIN_CBC Cipher Block Chaining. Plaintext is XORed with the previous ciphertext
block before it is encrypted.
PAD_PKCS5 Provides padding which complies with the PKCS #5: Password-Based
Cryptography Standard
*/

encryption_key RAW (32) := UTL_RAW.cast_to_raw('IamKey');
-- The encryption key for DES algorithem, should be 8 bytes or more.

FUNCTION encrypt (p_plainText VARCHAR2) RETURN RAW DETERMINISTIC
IS
encrypted_raw RAW (2000);
BEGIN
encrypted_raw := DBMS_CRYPTO.ENCRYPT
(
src => UTL_RAW.CAST_TO_RAW (p_plainText),
typ => encryption_type,
key => encryption_key
);
RETURN encrypted_raw;
END encrypt;

FUNCTION decrypt (p_encryptedText RAW) RETURN VARCHAR2 DETERMINISTIC
IS
decrypted_raw RAW (2000);
BEGIN
decrypted_raw := DBMS_CRYPTO.DECRYPT
(
src => p_encryptedText,
typ => encryption_type,
key => encryption_key
);
RETURN (UTL_RAW.CAST_TO_VARCHAR2 (decrypted_raw));
END decrypt;
END;
/

Check the package is working:

Encrypt:
select enc_dec.encrypt('I am Secure') encrypted from dual;
--------------------------------
9636BF26EA481F53229CA24C0543CBDB

Decrypt:
select enc_dec.decrypt('9636BF26EA481F53229CA24C0543CBDB') decrypted from dual;
------------
I am Secure

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.