DBMS_CRYPTO in ORACLE 10.2?

Similar Messages

• Is DBMS_CRYPTO FIPS 140-2 certified?

  Sadly, I think that the answer is no. I am hoping someone more knowledgeable can contradict me. This link describes the Oracle Database FIPS certification status.
  http://www.oracle.com/technology/deploy/security/seceval/oracle-fips140-validations.html.
  This is the linked to certificate which applies to Oracle Cryptographic Libraries for SSL.
  http://www.oracle.com/technology/deploy/security/seceval/pdf/140crt861.pdf
  I have found nothing that includes DBMS_CRYPTO under Oracle Cryptographic Libraries for SSL. This link might imply that it is not, but I am unclear what might apply to DBMS_CRYPTO.
  http://www.oracle.com/technology/deploy/security/as_security/sslfipsfaq_r1.html
  Is Oracle Advanced Security’s SSL adapter also included in this FIPS evaluation?
  No. Oracle SSL libraries that is only included in Oracle Application Server 10g (9.0.4) alone has received this FIPS 140-2 certification. We are considering evaluation of the Oracle SSL libraries included in the Oracle Database at the earliest.
  So in summary, it appears that Oracle has gone through the work to certify the Java libraries, but not the PL/SQL library.
  TIA
  Edited by: rmonical on May 26, 2009 4:12 PM

  The best source of Oracle online documentation is http://tahiti.oracle.com.
  If you go there and search, I did it under 10gR2, for "FIPS" you will find a tremendous amount of material with respect to the Oracle Database and FIPS.
  And unless I misunderstand your question you are totally incorrect.
  The Oracle database is in full compliance with FIPS 127-2.

• How to avoid of application running on Oracle 10g to be copied?

  I am a newbie to the security issues, so I need your help, please, where to start / what to read:
  I have an application running across many customers on Oracle 10g. I have faced lately that our users
  can use their daily backups to establish a totaly new database on a same / different server
  and point our application to use it as well.
  Is there any way to avoid it? F.e. I thought to use SELECT * FROM v$instance; to get the server instance details, and
  in result with some other function to obtain, let say, local server's (WIN2003) details,
  such as HD Serial Number, MAC number or so and then to check these values each time user runs the application.
  Is it the correct way? What are the basics here at all?
  Many thanks in advance to all!

  A lot of enterprises, however, actively avoid systems which are locked down to a particular server for very legitimate reasons. If my data center dies in the middle of the night, I sure don't want to have to call your mobile phone so that you can get to a computer, log in to the office network, and get me a new key so that I can finish my emergency failover. If I've got dozens of applications, I absolutely don't want to do that with dozens of different vendors.
  It sounds like your problem, though, isn't that users are installing your software on multiple computers it's that they are accessing functionality they haven't licensed. That is generally a much easier problem to solve and doesn't require you to lock anything down to a particular machine. You can create a table LICENSED_CONTENT, for example,
  CREATE TABLE licensed_content (
    client_id    NUMBER,
    content_type VARCHAR2(30),
    key          RAW(128)
  )In this case, KEY is, say, a hash (using the DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT packages if you'd like) of the client_id, content_type, and a bit of salt (i.e. a fixed string that only you know). When you sell a license to manage diamond content, you provide a script that inserts the appropriate row in the LICENSED_CONTENT table. When your application starts up, it reads the LICENSED_CONTENT table and verifies the hash before allowing users to access that type of content. This allows legitimate customers to move the software from one system to another but prevents them from accessing new functionality without a new license.
  Justin

• What are the third party tools available for Encryption in Oracle database?

  Dear All,
  Can you please help me with the below question?
  What are the third party tools available for Encryption in Oracle database? Please let me know if you know their feedback and also licensing/cost information

  Why would you spend money to purchase a third-party tool that will be, almost by definition, less secure than the tools inside the product you already own and paid for?
  http://www.morganslibrary.org/reference/pkgs/dbms_crypto.html
  But were I to have any to recommend one I would not do so without knowing information you seem to consider unimportant such as:
  1. Operating system
  2. Database edition and version
  3. What type of data needs to be secured
  4. What level of security is required

• DBMS_CRYPTO package help needed :(

  Hello all,
  I want to use Oracle's DBMS_CRYPTO package for decrypting some data.
  I have one sample program as follows which is not working....the error is shown below.
  SQL> DECLARE
  2 input_string VARCHAR2 (200) := 'Secret Message';
  3 output_string VARCHAR2 (200);
  4 encrypted_raw RAW (2000); -- stores encrypted binary text
  5 decrypted_raw RAW (2000); -- stores decrypted binary text
  6 num_key_bytes NUMBER := 256/8; -- key length 256 bits (32 bytes)
  7 key_bytes_raw RAW (32); -- stores 256-bit encryption key
  8 encryption_type PLS_INTEGER := -- total encryption type
  9 DBMS_CRYPTO.ENCRYPT_AES256
  10 + DBMS_CRYPTO.CHAIN_CBC
  11 + DBMS_CRYPTO.PAD_PKCS5;
  12 BEGIN
  13 DBMS_OUTPUT.PUT_LINE ( 'Original string: ' || input_string);
  14 key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
  15 encrypted_raw := DBMS_CRYPTO.ENCRYPT
  16 (
  17 src => UTL_I18N.STRING_TO_RAW (input_string, 'AL32UTF8'),
  18 typ => encryption_type,
  19 KEY => key_bytes_raw
  20 );
  21 decrypted_raw := DBMS_CRYPTO.DECRYPT
  22 (
  23 src => encrypted_raw,
  24 typ => encryption_type,
  25 KEY => key_bytes_raw
  26 );
  27 output_string := UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
  28 DBMS_OUTPUT.PUT_LINE ('Decrypted string: ' || output_string);
  29 END;
  30 /
  DBMS_CRYPTO.ENCRYPT_AES256
  ERROR at line 9:
  ORA-06550: line 9, column 2:
  PLS-00201: identifier 'DBMS_CRYPTO' must be declared
  ORA-06550: line 8, column 23:
  PL/SQL: Item ignored
  ORA-06550: line 14, column 21:
  PLS-00201: identifier 'DBMS_CRYPTO' must be declared
  ORA-06550: line 14, column 4:
  PL/SQL: Statement ignored
  ORA-06550: line 15, column 21:
  PLS-00201: identifier 'DBMS_CRYPTO' must be declared
  ORA-06550: line 15, column 4:
  PL/SQL: Statement ignored
  ORA-06550: line 21, column 18:
  PLS-00201: identifier 'DBMS_CRYPTO' must be declared
  ORA-06550: line 21, column 1:
  PL/SQL: Statement ignored
  Oracle version is
  Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production on linux server.
  can anybody help me how to resolve this problem?
  I mean isnt "DBMS_CRYPTO" Oracle's Standard package?
  pls help.

  Really you should not be using SYSTEM account - you should create your own DBA / Development accounts and use those.
  However, what you are missing is to connect as SYS/SYSDBA and...
  GRANT EXECUTE ON dbms_crypto TO system;

• Dbms_crypto package for number and date data type

  Hi,
  I am using Oracle 10g 10.2.0.3 on Linux 64 bit
  I am tryiing to use dbms_crypto package for the first time to encypt my tables column
  Following are my table columns
  NAME1 VARCHAR2(2000),
  ID1 NUMBER,
  SCORE number
  This table is already populated
  i want to encrypt Name1 and Score column. Following are the functions i have created for Encryption and decryption.
  --For Encryption
  create or replace function get_enc_val
  p_in in varchar2,
  p_key in raw
  return raw is
  l_enc_val raw (2000);
  l_mod number := dbms_crypto.ENCRYPT_AES128
  + dbms_crypto.CHAIN_CBC
  + dbms_crypto.PAD_PKCS5;
  begin
  l_enc_val := dbms_crypto.encrypt
  UTL_I18N.STRING_TO_RAW
  (p_in, 'AL32UTF8'),
  l_mod,
  p_key
  return l_enc_val;
  end;
  --For Decryption
  create or replace function get_dec_val
  p_in in raw,
  p_key in raw
  return varchar2
  is
  l_ret varchar2 (2000);
  l_dec_val raw (2000);
  l_mod number := dbms_crypto.ENCRYPT_AES128
  + dbms_crypto.CHAIN_CBC
  + dbms_crypto.PAD_PKCS5;
  begin
  l_dec_val := dbms_crypto.decrypt
  p_in,
  l_mod,
  p_key
  l_ret:= UTL_I18N.RAW_TO_CHAR
  (l_dec_val, 'AL32UTF8');
  return l_ret;
  end;
  Key: I have stored a key in other schema and calling it by using function get_key().
  Following is my insert
  INSERT INTO Score_table VALUES
  (get_enc_val('John',get_key()),25,get_enc_val(79,get_key()))
  it is giving me following error
  ORA-00932:Inconsistent Datatypes:Expected number got binary.
  I checked, it is an error due to Score field, which is of number type. So do i need to change type of Score field to varchar or is there any other way to encrypt number and date field.
  If i need to change the type then what will happen to the data already in Table and how do i encrypt data already in table.

  Hi,
  Is there any one who can tell me that, do i need to change my table column data type as the encrypted value will be character.

• How could I Encrypt the data of SDO_GEOMETRY type using DBMS_CRYPTO package

  Hi:
  I want to Encrypt the data of SDO_GEOMETRY object type using DBMS_CRYPTO package.
  What could I do? hope anyone can help me,give me a suggestions!
  thanks in advance.
  lgs

  well, the spatial api would not be able to handle this data anymore, so what you are trying to do is converting an SDO_GEOMETRY to some cryptable user type (see http://download-uk.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_crypto.htm#sthref1506) and encrypting this.
  Before using the SDO_GEOMETRY type will have to decrypt and reconvert it again and pass it to the spatial query or function.

• Can't find DBMS_CRYPTO package in my 10g R1

  Hi, I want to use the DBMS_CRYPTO pakage, I found some plsql code to use it, but when compile my code, the databse told me that this pakage not exists, I try with SYS user, but alwas the same error. I can't find this package that assumes to be included in 10g.
  Thanks

  What is the output of this query?
  SQL> select object_name, owner, object_type from dba_objects where object_name = 'DBMS_CRYPTO' ;
  OBJECT_NAME                    OWNER                          OBJECT_TYPE
  DBMS_CRYPTO                    SYS                            PACKAGE
  DBMS_CRYPTO                    SYS                            PACKAGE BODY
  DBMS_CRYPTO                    PUBLIC                         SYNONYM
  SQL> disconnect
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production
  With the Partitioning, OLAP and Data Mining options
  SQL>

• Dbms_crypto - avoid error when using different key in lower environment

  Hello Experts,
  We are using Oracle 11.2.0.2. We are planning to implement dbms_crypto to encrypt few columns. We clone the data from production to lower environment ( DEV, QC).
  For the lower environments, we do not want to get the sensitive data from production and do not plan to use same key. Rather than getting an error when using differnt key, is it possible to get a different resultset back.
  In other words, we want the implementation to be same across environments but want to use a diffent key in lower environment and get different result (or garbage).
  Any suggestions would be greatly appreciated.
  While testing this logic, I am getting following error when using differnt key to decrypt. It works fine if I use same key.
  Error at line 1
  ORA-28817: PL/SQL function returned an error.
  ORA-06512: at "SYS.DBMS_CRYPTO_FFI", line 67
  ORA-06512: at "SYS.DBMS_CRYPTO", line 44
  ORA-06512: at line 19
  DECLARE
    l_credit_card_no    VARCHAR2(19) := '1234 5678 9012 3456';
    l_ccn_raw           RAW(128) := UTL_RAW.cast_to_raw(l_credit_card_no);
  l_key               RAW(128) := UTL_RAW.cast_to_raw('abcdefgh');
     l2_key               RAW(128) := UTL_RAW.cast_to_raw('12345678');
    l_encrypted_raw     RAW(2048);
    l_decrypted_raw     RAW(2048);
  BEGIN
    DBMS_OUTPUT.put_line('Original  : ' || l_credit_card_no);
    l_encrypted_raw := DBMS_CRYPTO.encrypt(src => l_ccn_raw,
                                           typ => DBMS_CRYPTO.des_cbc_pkcs5,
                                           key => l_key);
    DBMS_OUTPUT.put_line('Encrypted : ' || RAWTOHEX(UTL_RAW.cast_to_raw(l_encrypted_raw)));
    l_decrypted_raw := DBMS_CRYPTO.decrypt(src => l_encrypted_raw,
                                           typ => DBMS_CRYPTO.des_cbc_pkcs5,
                                           key => l2_key); --**Using different key to decrypt
    DBMS_OUTPUT.put_line('Decrypted : ' || UTL_RAW.cast_to_varchar2(l_decrypted_raw));
  END;Thank you.

  If I understand what you are trying to do ... and I may not ... it is not going to work.
  SQL> DECLARE
    2   l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
    3   l_ccn_raw RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
    4   l_key1     RAW(128) := utl_raw.cast_to_raw('abcdefgh');
    5   l_key2     RAW(128) := utl_raw.cast_to_raw('zyxwvuts');  -- alternate key used to attempt a different decryption
    6 
    7   l_encrypted_raw RAW(2048);
    8   l_decrypted_raw RAW(2048);
    9  BEGIN
  10    dbms_output.put_line('Original : ' || l_credit_card_no);
  11 
  12    l_encrypted_raw := dbms_crypto.encrypt(l_ccn_raw, dbms_crypto.des_cbc_pkcs5, l_key1);
  13 
  14    dbms_output.put_line('Encrypted : ' || RAWTOHEX(utl_raw.cast_to_raw(l_encrypted_raw)));
  15 
  16    l_decrypted_raw := dbms_crypto.decrypt(src => l_encrypted_raw, typ => dbms_crypto.des_cbc_pkc
  s5, key => l_key1);
  17 
  18    dbms_output.put_line('Key1 : ' || utl_raw.cast_to_varchar2(l_decrypted_raw));
  19 
  20    l_decrypted_raw := dbms_crypto.decrypt(src => l_encrypted_raw, typ => dbms_crypto.des_cbc_pkc
  s5, key => l_key2);
  21 
  22    dbms_output.put_line('Key2 : ' || utl_raw.cast_to_varchar2(l_decrypted_raw));
  23  END;
  24  /
  Original : 1612-1791-1809-2605
  Encrypted : 3534443342333642353141363846384237463732384636373943374630364234323243334539383042323135
  Key1 : 1612-1791-1809-2605
  DECLARE
  ERROR at line 1:
  ORA-28817: PL/SQL function returned an error.
  ORA-06512: at "SYS.DBMS_CRYPTO_FFI", line 67
  ORA-06512: at "SYS.DBMS_CRYPTO", line 44
  ORA-06512: at line 20

• Key generation using DBMS_CRYPTO

  Hi,
  I have a question about DBMS_CRYPTO pacakge , which can be used for encrypting sensitive data. When we use this package, is it a must that we have to supply the encryption key or is it that the package can itself generate the key? I read in the documentiation about RANDOMBYTES function (http://download.oracle.com/docs/cd/B14117_01/appdev.101/b10802/d_crypto.htm#1000530) but I don't know exactly how it can be used.
  Basically my doubt is, when we use this package, we have to pass in the encryption key as a parameter and we have to know it or is there a way oracle can entirely take care of it?
  Thanks

  The way the DBMS_CRYPTO package works is with providing an encryption key to encrypt and to decrypt. I think personal looking at your question and the remarks you place you are looking for a solution like "Oracle Advanced Security", see http://www.oracle.com/us/products/database/options/advanced-security/index.html
  Regards, Gerwin

• Can I encrypt a string with RSA encryption using DBMS_CRYPTO?

  We have an web application that does a redirect thru a database package to a 3rd party site. They would like us to encrypt the querystring that is passed using RSA encryption. The example that they've given us (below) uses the RSA cryptographic service available in .NET. Is it possible to do this using DBMS_CRYPTO or some other method in Oracle?
  Below are the steps outlined to use the key to generate the encrypted URL
  2.1 Initialize Service
  The RSA cryptographic service must be initialized with the provided public key. Below is sample code that can be used to initialize the service using the public key
  C#
  private void InitializeRSA( string keyFileName )
  CspParameters cspParams = new CspParameters( );
  cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
  m_sp = new RSACryptoServiceProvider( cspParams );
  //Load the public key from the supplied XML file
  StreamReader reader = new StreamReader( keyFileName );
  string data = reader.ReadToEnd( );
  //Initializes the public key
  m_sp.FromXmlString( data );
  2.2 Encryption method
  Create a method that will encrypt a string using the cryptographic service that was initialized in step 2.1. The encryption method should convert the encryption method to Base64 to avoid special characters from being passed in the URL. Below is sample code that uses the method created in step 2.1 that can be used to encrypt a string.
  C#
  private string RSAEncrypt( string plainText )
  ASCIIEncoding enc = new ASCIIEncoding( );
  int numOfChars = enc.GetByteCount( plainText );
  byte[ ] tempArray = enc.GetBytes( plainText );
  byte[ ] result = m_sp.Encrypt( tempArray, false );
  //Use Base64 encoding since the encrypted string will be used in an URL
  return Convert.ToBase64String( result );
  2.3 Generate URL
  The query string must contain the necessary data elements configured for you school in Step 1. This will always include the Client Number and the Student ID of the student clicking on the link.
  1.     Build the query string with Client Number and Student ID
  C#
  string queryString = “schoolId=1234&studentId=1234”;
  The StudentCenter website will validate that the query string was generated within 3 minutes of the request being received on our server. A time stamp in UTC universal time (to prevent time zone inconsistencies) will need to be attached to the query string.
  2.     Get the current UTC timestamp, and add the timestamp to the query string
  C#
  string dateTime = DateTime.UtcNow.ToString(“yyyy-MM-dd HH:mm:ss”);
  queryString += “&currentDT=” + dateTime;
  Now that the query string has all of the necessary parameters, use the RSAEncrypt (Step 2.2) method created early to encrypt the string. The encrypted string must also be url encoded to escape any special characters.
  3.     Encrypt and Url Encode the query string
  C#
  string rsa = RSAEncrypt(querystring);
  string eqs = Server.UrlEncode(rsa);
  The encrypted query string is now appended to the Url (https://studentcenter.uhcsr.com), and is now ready for navigation.
  4.     Build the URL
  C#
  string url = “https://studentcenter.uhcsr.com/custom.aspx?eqs=” + eqs

  The documentation lists all the encyrption types:
  http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_crypto.htm#ARPLS664

• DBMS_CRYPTO.DECRYPT-Error in decryption.

  Hi all,
  i created encryption and decryption program using DBMS_CRYPTO package.as a whole both encryption and decryption working fine.but when i used the decrypt part alone using stored encrypted data(RAW DataType) it showing some internal error,kindly help me in this issue.i provided the details here,
  * I encrypted a string using dbms_crypto.encrypt and stored that string in a column which i created as RAW datatype format.
  *The program i used is ,
  DECLARE
  op VARCHAR2(500) ;
  op_raw raw(2000);
  ip raw(2000);
  num_key_bytes NUMBER := 256/8; -- key length 256 bits (32 bytes)
  key_bytes_raw RAW (32); -- stores 256-bit encryption key
  encryption_type PLS_INTEGER := -- total encryption type
  DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5;
  BEGIN
  SELECT pass INTO ip FROM user_test WHERE user_id =309;
  /*this pass is of format RAW,it storing the ouput of DBMS_CRYPTO.ENCRYPT */
  /*above query fetches F130E5785F8DAE2D59972FB9B7B74BE4 as output */
  /*word used for encryption is 'secret' */
  key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
  DBMS_OUTPUT.PUT_LINE ('ip :' || ip);
  op_raw := DBMS_CRYPTO.DECRYPT( src =>ip , typ => encryption_type, KEY => key_bytes_raw );
  DBMS_OUTPUT.PUT_LINE ('op_raw :'||op_raw);
  op:= UTL_I18N.RAW_TO_CHAR (op_raw , 'AL32UTF8');
  DBMS_OUTPUT.PUT_LINE ('op :'||op);
  END;
  * The Error i getting is ,
  Error report:
  ORA-28817: PL/SQL function returned an error.
  ORA-06512: at "SYS.DBMS_CRYPTO_FFI", line 67
  ORA-06512: at "SYS.DBMS_CRYPTO", line 41
  ORA-06512: at line 14
  28817. 00000 - "PL/SQL function returned an error."
  *Cause:    A PL/SQL function returned an error unexpectedly.
  *Action:   This is an internal error. Contact Oracle customer support.
  kindly help me in this issue as soon as possible.
  Thanks in advance,
  Jeevanand.K
  Edited by: Jeevanand K on Oct 26, 2010 2:08 AM

  Hi,
  there is a note on Metalink for this: "DBMS_CRYPTO.DECRYPT - ORA-28817 ORA-06512 at DBMS_CRYPTO_FFI", it has id 956603.1.
  Herald ten Dam
  http://htendam.wordpress.com

• Dbms_crypto in 10g Express missing

  I have installed the Oracle Database 10g Express Edition, it works fine.
  When I tried to use the dbms_crypto-Package with e.g.
  SELECT utl_raw.cast_to_varchar2(dbms_crypto.Hash(utl_raw.cast_to_raw('My Test'),2)) FROM dual;
  I got an ORA-00904 Error.
  Have I to install something special to use the dbms_crypto-Package? I'm logged in as system, I have all privelegs on the database, have read documentation an the FAQ - but now i am helpless.
  Any idea?
  Kind regards
  Thomas

  You have to grant execute on dbms_crypto ( as user sys ) to your required user.
  SQL> select grantee from dba_tab_privs where table_name = 'DBMS_CRYPTO';
  GRANTEE
  FLOWS_030000
  FLOWS_020100
  SQL> show user
  USER is "SYS"
  SQL> select * from v$version;
  BANNER
  Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product
  PL/SQL Release 10.2.0.1.0 - Production
  CORE    10.2.0.1.0      Production
  TNS for Linux: Version 10.2.0.1.0 - Production
  NLSRTL Version 10.2.0.1.0 - ProductionBest regards
  Maxim

• Having problem with DBMS_CRYPTO

  Hello,
  I am trying to run this SQL statment:
  select dbms_crypto.hash(typ => dbms_crypto.HASH_MD5, src => 'TOM') from dual;
  when I do I get an Error ORA-06553: PLS-221: 'HASH_MD5' is not a procedure or is undefined
  I understand that this is because the 'HASH_MD5' is a PLSQL variable and I am trying to use it in SQL. However I need to be able to run this as a SQL statment. Any ideas how I can do this?
  Oracle version is 11.2.0.3 EE

  Sky13 wrote:
  Hello,
  I am trying to run this SQL statment:
  select dbms_crypto.hash(typ => dbms_crypto.HASH_MD5, src => 'TOM') from dual;
  when I do I get an Error ORA-06553: PLS-221: 'HASH_MD5' is not a procedure or is undefined
  I understand that this is because the 'HASH_MD5' is a PLSQL variable and I am trying to use it in SQL. However I need to be able to run this as a SQL statment. Any ideas how I can do this?
  Oracle version is 11.2.0.3 EEBeside what has just told by Adam, consider that dbms_crypto.HASH_MD5 is defined as a CONSTANT PLS_INTEGER, a type which is not available in SQL.
  The procedure, if I'm not wrong, can be called only within a PL/SQL block.
  Regards.
  Al

• DBMS_CRYPTO : DECRYPT error ORA 28817...

  Hello,
  We are in 10g2, I have few big VARCHAR2 columns to encrypt in one table. I am pretty new in this topic..
  I took the standard example given with package DBMS_CRYPTO :
  http://download-west.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_crypto.htm
  Here are 2 pieces of code, one with no save of data, and one with an insert into a CLOB column.
  The first example gives no error, but my data is not saved.
  The second example saved the encrypted data into a CLOB, but, I get an error with a DECRYPT (this occurs only 60 times on 5000 records !!)
  Here are my 2 examples :
  1) The one that works (with no save)
  DECLARE
  input_string VARCHAR2 (200) := 'Increase in volume by 26%, increase in GM by 13%';
  output_string VARCHAR2 (200);
  encrypted_raw RAW (2000); -- stores encrypted binary text
  decrypted_raw RAW (2000); -- stores decrypted binary text
  num_key_bytes NUMBER := 256/8; -- key length 256 bits (32 bytes)
  key_bytes_raw RAW (32); -- stores 256-bit encryption key
  encryption_type PLS_INTEGER := -- total encryption type
  DBMS_CRYPTO.ENCRYPT_AES256
  + DBMS_CRYPTO.CHAIN_CBC
  + DBMS_CRYPTO.PAD_PKCS5;
  BEGIN
  DBMS_OUTPUT.PUT_LINE ( 'Original string: ' || input_string);
  key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
  encrypted_raw := DBMS_CRYPTO.ENCRYPT
  ( src => UTL_I18N.STRING_TO_RAW (input_string, 'AL32UTF8'),
  typ => encryption_type,
  key => key_bytes_raw );
  dbms_output.put_line('encryption='||encrypted_raw);
  decrypted_raw := DBMS_CRYPTO.DECRYPT
  ( src => encrypted_raw,
  typ => encryption_type,
  key => key_bytes_raw );
  output_string := UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
  DBMS_OUTPUT.PUT_LINE ('step4 Decrypted string: ' || output_string);
  END;
  2) The one that doesn't work (with an insert into a CLOB column) :
  DECLARE
  input_string VARCHAR2 (200) := 'Increase in volume by 26%, increase in GM by 13%';
  output_string VARCHAR2 (200);
  encrypted_raw RAW (2000); -- stores encrypted binary text
  decrypted_raw RAW (2000); -- stores decrypted binary text
  num_key_bytes NUMBER := 256/8; -- key length 256 bits (32 bytes)
  key_bytes_raw RAW (32); -- stores 256-bit encryption key
  encryption_type PLS_INTEGER := -- total encryption type
  DBMS_CRYPTO.ENCRYPT_AES256
  + DBMS_CRYPTO.CHAIN_CBC
  + DBMS_CRYPTO.PAD_PKCS5;
  l_test CLOB;
  BEGIN
  DBMS_OUTPUT.PUT_LINE ( 'Original string: ' || input_string);
  key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
  encrypted_raw := DBMS_CRYPTO.ENCRYPT
  ( src => UTL_I18N.STRING_TO_RAW (input_string, 'AL32UTF8'),
  typ => encryption_type,
  key => key_bytes_raw );
  delete from TEST_ODAB;
  commit;
  insert into TEST_ODAB (my_column) values (encrypted_raw);
  commit;
  dbms_output.put_line('step2 ...');
  select my_column into l_test from TEST_ODAB;
  dbms_output.put_line('step3 ...');
  decrypted_raw := DBMS_CRYPTO.DECRYPT
  ( src => UTL_RAW.cast_to_raw(l_test),
  typ => encryption_type,
  key => key_bytes_raw );
  output_string := UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
  DBMS_OUTPUT.PUT_LINE ('step4 Decrypted string(with select): ' || output_string);
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE('Others='||SQLERRM);
  END;
  This is the result I get :
  Original string: Increase in volume by 26%, increase in GM by 13%
  step2 ...
  step3 ...
  Others=ORA-28817: PL/SQL function returned an error.
  I must have something wrong in my code, but I don't see what ...
  Any advice ?
  I hope that my explanation is clear enough ....
  Thanks,
  Olivier

  Hi,
  there is a note on Metalink for this: "DBMS_CRYPTO.DECRYPT - ORA-28817 ORA-06512 at DBMS_CRYPTO_FFI", it has id 956603.1.
  Herald ten Dam
  http://htendam.wordpress.com