DBMS_OBFUSCATION_TOOLKIT

Why is the result of a call to DBMS_OBFUSCATION_TOOLKIT.DESEncrypt not consistent.
I try to exchange encrypted data between different instances of Oracle and the encrypted output is not the same.
Are there differences from version to version of Oracle or is there some kind of parameter setting (seed) that I'm not aware of.
Best regards
-pELLE

You might try posting this to the Products | Database | SQL and PL/SQL forum. The folks over there are generally going to be more familiar with this sort of database programming issue.
A couple of questions, though, in addition to Carlos's point about making sure the same key is being used...
- Are you storing the encrypted data in RAW columns? Or in VARCHAR2 columns?
- Are your database character sets identical?
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

Similar Messages

FailAL32UTF8Conv error when using dbms_obfuscation_toolkit.des3encrypt

I receive a 'failAL32UTF8Conv' error when trying to use the dbms_obfuscation_toolkit.des3encrypt function on a UTF-8 encoded Oracle 9i database.
My encryption package and package bodies worked fine until I switch to a UTF-8 encoded database. Prior to UTF-8, the encoding was unicode.

I have a bit more information now. I have encrypted with a UTF-8 database that I have encrypted using the dbms_obfuscation_toolkit.des3encrypt function. When I export this database, and then import it into another UTF-8 database, my dbms_obfuscation_toolkit.des3decrypt function, using the same key, will not decrypt the data. However, if I encrypt new data, I am able to decrypt it. My implementation of the dbms_obfuscation_toolkit.des3encrypt function deals with VARCHAR2's and not RAW's.

Using 'dbms_obfuscation_toolkit.md5' in my insert statment itself

Hi all,
I am trying to use 'dbms_obfuscation_toolkit.md5' in my insert statment itself as : insert into TEST_USERS values('username', dbms_obfuscation_toolkit.md5('password'));
But i get this : ORA-06553: PLS-307: too many declarations of 'MD5' match
Can you please help me on how can i insert a string (not raw) as MD5 hash to a table???
The password column i have is 'varchar(20)'. I dont mind changing it to something else. I am also struggling to find this package definition/help, to check what db type this function returns :-)
Thanks for the help.

Hello,
Try posting this to the General Database Discussions forum.
This forum is for SQLJ & JDBC.

Date field encryption using Dbms_Obfuscation_Toolkit.DESENCRYPT

Hi,
I need to encrypt the date field in the table using Dbms_Obfuscation_Toolkit.DESENCRYPT .
This is an table is an existing table and is accessed by many interfaces, so we cannot change the column type of this date field.
Is there a possibility of encrypting the date field and store it in the same column (DATE type).
And access this using Dbms_Obfuscation_Toolkit.DESDECRYPT.
We are using Oracle 11.2.0.2.0.
Thanks in advance.
Agathya

>
Is there a possibility of encrypting the date field and store it in the same column (DATE type).
>
No - the DESENCRYPT procedure returns a RAW value which can't be stored in a DATE column.
See DESENCRYPT Procedures and Functions in Chapter 82 (DBMS_OBFUSCATION_TOOLKIT) of the PL/SQl Packages and Types Doc
http://docs.oracle.com/cd/B28359_01/appdev.111/b28419/d_obtool.htm#i997215
For what you want to do just use the ENCRYPT option of the CREATE TABLE or ALTER TABLE statements.
See Using Transparent Data Encryption in the Advanced Security Admin Guide
http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm#BABJJAIG
>
3.2 Using Transparent Data Encryption
The following steps discuss using transparent data encryption:
•Enabling Transparent Data Encryption
•Setting and Resetting theMaster Encryption Key
•Opening the Encrypted Wallet
•Creating Tables with Encrypted Columns
•Encrypting Columns in Existing Tables
•Creating an Index on an Encrypted Column
•Adding or Removing Salt from an Encrypted Column
•Changing the Encryption Key or Algorithm for Tables Containing Encrypted Columns
>
Section 3.2.5.2 Encrypting an Unencrypted Column shows the ALTER TABLE statement for encrypting an existing column - this would leave the column as a DATE and you would work with it normally
>
3.2.5.2 Encrypting an Unencrypted Column
To encrypt an unencrypted column, use the ALTER TABLE MODIFY command, specifying the unencrypted column with the ENCRYPT clause. Example 3-7 encrypts the first_name column in the employee table.
Example 3-7 Encrypting an Unencrypted Column
ALTER TABLE employee MODIFY (first_name ENCRYPT);
The first_name column is encrypted with the default AES192 algorithm. Salt is added to the data, by default.
You can choose to encrypt the column using a different algorithm. You can also specify NO SALT, if you wish to index the column.

DBMS_OBFUSCATION_TOOLKIT.DESENCRYPT Problem

I am trying to encrypt and deencrypt a column in one of my table.I use oracle version 8.1.7.when i compile my procedure with the procedure DBMS_OBFUSCATION_TOOLKIT.DESENCRYPT is gets created and no errors.When i try to run the procedure i get the following error:
ERROR at line 1:
ORA-06521: PL/SQL: Error mapping function
ORA-06512: at "DIEBOLD.DBMS_OBFUSCATION_TOOLKIT_FFI", line 0
ORA-06512: at "DIEBOLD.DBMS_OBFUSCATION_TOOLKIT", line 15
Since this package uses libraries do i need to do anything different?
Thanks in advance.

It doesn't help. My problem is that the following code result different in Oracle 8i and Oracle 10g.
declare
-- Local variables here
i integer;
text RAW(128) := UTL_RAW.CAST_TO_RAW('00000000');
key RAW(128) := UTL_RAW.CAST_TO_RAW('01234567');
enc_data RAW(128);
begin
-- Test statements here
DBMS_OBFUSCATION_TOOLKIT.desencrypt (input => text,
KEY => key,
encrypted_data => enc_data
end;

Information about package sys.dbms_obfuscation_toolkit

While using this package procedure DesEncrypt , we are facing error i.e
too many declarations of 'DesEncrypt ' match this call......
According to me, overloading of procedure has been performed based on datatypes of same family(i.e varchar2 and raw), which to me is not correct.
Please suggest how to resolve this problem.
Please give this work as urgent priority.

You will need to use named notation (reference the parameter names in the call) instead of the normal positional notation because of the implicit conversions possible between varchar2 and raw.
dbms_obfuscation_toolkit.DESEncrypt
(input_string => v_string, key_string => v_key, encrypted_string=> v_encrypted_string);

ORA-28232 w/ DBMS_OBFUSCATION_TOOLKIT

I am attempting to use DBMS_OBFUSCATION_TOOLKIT.DESEncrypt on an Oracle 8.1.6.3 database. However it keeps throwing the 28232 error. However I am definitely using an 8 character password.
Does anybody know what the problem might be?
TIA, APC

Here is the my_encryption package code ...........
CREATE OR REPLACE PACKAGE BODY my_encryption IS
|| Local variable to hold the current encryption key.
ps_encryption_key RAW(32);
|| Local exception to hide Oracle -28231 Error Code.
INTERNAL_BAD_KEY exception;
PRAGMA EXCEPTION_INIT(INTERNAL_BAD_KEY, -28231);
|| Local exception to hide Oracle -28232 Error Code.
INTERNAL_BAD_DATA exception;
PRAGMA EXCEPTION_INIT(INTERNAL_BAD_DATA, -28232);
|| Local function to get the encryption key for a particular case.
FUNCTION get_case_encryption_key(pi_cas_id IN ELS_CASES.ID%TYPE) RETURN RAW IS
|| The key to be returned.
key RAW(16);
|| Cursor to return the case encyption key in encrypted format.
CURSOR c_case_key(b_cas_id ELS_CASES.ID%TYPE) IS
SELECT encryption_key
FROM els_cases
WHERE id = b_cas_id;
BEGIN
OPEN c_case_key(pi_cas_id);
FETCH c_case_key INTO key;
CLOSE c_case_key;
RETURN key;
EXCEPTION
WHEN NO_DATA_FOUND THEN
RAISE NO_CASE;
END;
|| Procedure to initialize package with the master key.
|| The master key will be held elsewhere from the database.
PROCEDURE set_master_key(pi_key IN RAW) IS
BEGIN
IF LENGTHB(pi_key) != 32 THEN
RAISE BAD_KEY;
END IF;
ps_encryption_key := pi_key;
END;
|| Procedure to initialize package with the master key.
|| Always returns 'Y'
|| The master key will be held elsewhere from the database.
FUNCTION set_master_key(pi_key IN RAW) RETURN VARCHAR2 IS
BEGIN
set_master_key(pi_key);
RETURN 'Y';
END;
|| Procedure to initialize package with the case encryption key.
PROCEDURE set_case_key(pi_master_key IN RAW,
pi_cas_id IN ELS_CASES.ID%TYPE) IS
BEGIN
ps_encryption_key := pi_master_key;
ps_encryption_key := decrypt(pi_data=>get_case_encryption_key(pi_cas_id));
END;
|| Function to initialize package with the case encryption key.
|| Always returns 'Y'
FUNCTION set_case_key(pi_master_key IN RAW,
pi_cas_id IN ELS_CASES.ID%TYPE) RETURN VARCHAR2 IS
BEGIN
set_case_key(pi_master_key,pi_cas_id);
RETURN 'Y';
END;
|| Function to encrypt data using the master key. Note the length of
|| pi_data, in bytes, must be at most 2000 bytes and be divisible by 8.
FUNCTION encrypt(pi_data IN RAW) RETURN RAW IS
BEGIN
RETURN dbms_obfuscation_toolkit.DES3Encrypt(input => pi_data,
key => ps_encryption_key);
EXCEPTION
WHEN INTERNAL_BAD_DATA THEN
RAISE BAD_DATA;
WHEN INTERNAL_BAD_KEY THEN
RAISE BAD_KEY;
END;
|| Function to encrypt a BLOB using the current encryption key.
FUNCTION encrypt(pi_blob IN BLOB) RETURN BLOB IS
|| Temporary blob variable to hold the encrypted contents.
result blob;
|| Variable to hold the length of the blob.
blob_length PLS_INTEGER := dbms_lob.getlength(pi_blob);
|| The Oracle encryption routines can only encrypt data whose length is <=2000.
max_chunk_length PLS_INTEGER := 2000;
|| Variable to hold the length of the current chunk that is being encrypted.
chunk_length PLS_INTEGER;
|| Variable to remember which how much of the input blob has been encrypted.
pointer PLS_INTEGER := 1;
|| Variable to hold the next bit of data to be encrypted.
chunk RAW(2000);
|| Variable to hold a pad byte used to pad the last chunk.
pad RAW(1) := utl_raw.substr(utl_raw.cast_to_raw('0'),1,1);
BEGIN
|| Create the temporary blob using the database memory buffer.
dbms_lob.createtemporary(result, TRUE, dbms_lob.call);
|| Loop through the input blob
WHILE (pointer <= blob_length) LOOP
|| Grab at most 2000 bytes from the input blob.
chunk_length := LEAST(max_chunk_length,blob_length-pointer+1);
chunk := dbms_lob.substr(pi_blob,chunk_length,pointer);
|| Pad any chunk (ie the last) so its length is divisible by 8 (another Oracle limitation on encryption)!.
WHILE mod(chunk_length,8) !=0 LOOP
chunk := utl_raw.concat(chunk,pad);
chunk_length := chunk_length+1;
END LOOP;
|| Encrypt the chunk and write it to the end of the temporary blob.
dbms_lob.writeappend(result,
chunk_length,
encrypt(pi_data => chunk)
|| Advance the pointer by the length of the last chunk.
pointer := pointer + chunk_length;
END LOOP;
|| All Done!
RETURN result;
END;
|| Function to decrypt data using the master key. Note the length of
|| pi_data, in bytes, must be at most 2000 bytes and be divisible by 8.
FUNCTION decrypt(pi_data IN RAW) RETURN RAW IS
BEGIN
RETURN dbms_obfuscation_toolkit.DES3Decrypt(input => pi_data,
key => ps_encryption_key);
EXCEPTION
WHEN INTERNAL_BAD_DATA THEN
RAISE BAD_DATA;
WHEN INTERNAL_BAD_KEY THEN
RAISE BAD_KEY;
END;
|| Function to decrypt a BLOB using the current encryption key.
FUNCTION decrypt(pi_blob IN BLOB,
pi_size IN PLS_INTEGER) RETURN BLOB IS
|| Temporary blob variable to hold the encrypted contents.
result BLOB;
|| Variable to hold the length of the blob.
blob_length PLS_INTEGER := dbms_lob.getlength(pi_blob);
|| The Oracle encryption routines can only encrypt data whose length is <=2000.
max_chunk_length PLS_INTEGER := 2000;
|| Variable to hold the length of the current chunk that is being encrypted.
chunk_length PLS_INTEGER;
|| Variable to remember which how much of the input blob has been encrypted.
pointer PLS_INTEGER := 1;
BEGIN
|| Create the temporary blob using the database memory buffer.
dbms_lob.createtemporary(result, TRUE, dbms_lob.call);
|| Loop through the input blob
WHILE (pointer <= blob_length) LOOP
|| Grab at most 2000 bytes from the input blob.
chunk_length := LEAST(max_chunk_length,blob_length-pointer+1);
|| Decrypt the chunk and write it to the end of the temporary blob.
dbms_lob.writeappend(result,
chunk_length,
decrypt(pi_data => dbms_lob.substr(pi_blob,
chunk_length,
pointer
|| Advance the pointer by the length of the last chunk.
pointer := pointer + chunk_length;
END LOOP;
|| Remove the padding bytes that were added when the data was encrypted.
dbms_lob.trim(result,pi_size);
|| All Done!
RETURN result;
END;
|| Procedure to clear session state of stored keys.
PROCEDURE CLEAR IS
BEGIN
ps_encryption_key:=null;
END;
END;
and here is the PL/sql I run before running the sql stmt
DECLARE
mkey LONG RAW;
BEGIN
mkey := UTL_RAW.CAST_TO_RAW ('&&key');
my_encryption.set_master_key(mkey);
my_encryption.set_case_key(mkey,&&case_id);
END;
mkey is a 16 digit key .
and the encrypted_contents I'm trying to decrypt is a BLOB.
select my_encryption.decrypt(encrypted_contents,file_size),mime_type
from my_drafts where id = &&draft_id;
I hope this makes sense .
Ragini

Adf - decrypt the value from dbms_obfuscation_toolkit.md5

Currently we store a string value in the DB using dbms_obfuscation_toolkit.md5(input_string=>'124').
How do I decrypt this value back so that I can display in the adf application please?

btw, md5 is secure hash algorithm so you can't decrypt value.
Dario

DBMS_OBFUSCATION_TOOLKIT.MD5

DBMS_OBFUSCATION_TOOLKIT.MD5(input_string => p_string) translate the p_string parameter into a MD5-string, but cannot accept NULL values? Anyone knows an answer?

That argument doesn't make much since. If I wanted to know if the value was null or not, I could simply get the MD5 for null (if it would do that) and compare those values. The value of message digest is that the attacker doesn't have any clue what original value he's looking for. It's a simple matter for find matches if I know what I'm looking for. In fact, this technique is commonly employed. It's known as a dictionary assault.

Problem about DBMS_OBFUSCATION_TOOLKIT

Does DBMS_OBFUSCATION_TOOLKIT can compile on Oracle 7.3.4?

The problem is that this package is implemented on top of another package which ultimately runs with trusted callouts. I do not believe any of this technology is present in 7.*, although this is before my time.

Dbms_obfuscation_toolkit encrypts diffent for 8i, 10g 32bit & 10g 64bit

Greetings Guru,
The dbms_obfuscation_toolkit seems to encrypt different for the three versions of Oracle listed in the title. Our current architecture MUST support Oracle 8i, Windows Oracle 10g 32 bit(V10.2) & Solaris 10 10g 64 bit(V 10.2). When one of the versions of Oracle encrypt a piece of data the others versions can not decrypt it (I use one common key). Is their some way to make the different versions of Oracle to encrypt & decrypt the same data using hte dbms_obfuscation_toolkit?
I have flexibility with the two 10g versions, but the 8i version is in production and cannot be changed.
Any help or suggestions will be appreciated.

Greetings Juston,
I'm using DES, I'm not doing any hashing that I know
of with the MD5 algorithm. I'm just calling the
obfuscation encrypt and decrypt procedures.There are multiple encrypt & decrypt methods in that package-- DES3ENCRYPT and DES3DECRYPT use the DES3 algorithm. DESENCRYPT and DESDECRYPT use the DES algorithm. Which set are you using? Are you using the same set in all three environments?
I'm not actually storing the encrypted data or key.
The data when encrypted is stored in a varchar2
variable. The key is also a varchar2 variable. The
data is encrypted when it have to travel over the
wire. The database(s) calls a procedure and one of
the variable is a out type that holds the encrypted
data. The client database then decrypts that data.
The eight character key is hardcoded in all three
databases.I would strongly (very, very strongly) suggest not using VARCHAR2 variables to store encrypted data (or keys). When Oracle sends string data over the wire, it may have to be converted from the database character set to the client character set. If this character set conversion changes the encrypted data in any way, the destination won't be able to decrypt it.
If you use RAW variables everywhere, Oracle knows that the data is binary in nature and doesn't try to do any character set conversion, so it's perfectly safe to transmit over the wire without concern.
how do I tell what the database character set is??
I'm at home so I can not get into the database right
now.
SELECT *
FROM v$nls_parameters
WHERE parameter LIKE '%CHARACTERSET'Justin

Does dbms_obfuscation_toolkit support MD5 ?

I want to know that does this package(dbms_obfuscation_toolkit) encrypts data in MD5 format . Does this package support MD5.
Regards
null

CREATE OR REPLACE PROCEDURE obfuscation_demo AS
l_data varchar2(255);
l_string VARCHAR2(25) := 'hello world';
BEGIN
-- Both the key and the input data must have a length
-- divisible by eight (the key must be exactly 8 bytes long).
l_data := RPAD(l_string,(TRUNC(LENGTH(l_string)/8)+1)*8,CHR(0));
DBMS_OUTPUT.PUT_LINE('l_string before encrypt: ' | | l_string);
-- Encrypt the input string
DBMS_OBFUSCATION_TOOLKIT.DESENCRYPT
(input_string => l_data,
key_string => 'magickey',
encrypted_string => l_string);
DBMS_OUTPUT.PUT_LINE('l_string ENCRYPTED: ' | | l_string);
-- Decrypt the input string
DBMS_OBFUSCATION_TOOLKIT.DESDECRYPT
(input_string => l_string,
key_string => 'magickey',
decrypted_string => l_data);
DBMS_OUTPUT.PUT_LINE('l_string DECRYPT: ' | | L_DATA);
END;
its encrypting in DES .
You said that dbms_obfuscation_toolkit supports md5.
If yes then how can i use this procedure to make it effective for md5. How does md5 implement on this procedure.
Can u help me regarding this.
Regards
null

DBMS_OBFUSCATION_TOOLKIT.DESEncrypt ... length of output ?

If I know the max length of input data, can I know the max length of encrypted output ?
(e.g. for storing password in encrypted format, i should know the size of field, if max length of password is known )

The toolkit needs data in 8 byte multiples.
That means if your password is varchar2(30) use raw(32) to store the encrypted passwords.

Default Encrypted Password

Dear All,
i want to insert encrypted Password of 'password' string into table user_dtl column PASSWORD .
How can i insert Encripted password into table.
Thanks

Hi Vedant,
See the CUSTOM_HASH function that is installed with sample application in the APEX.
Here is the code for it:
create or replace function custom_hash (p_username in varchar2, p_password in varchar2)
return varchar2
is
l_password varchar2(4000);
l_salt varchar2(4000) := 'XFSPL28ZTWEWWM6FHWMK68AG5NQVLU';
begin
-- This function should be wrapped, as the hash algorithm is exposed here.
-- You can change the value of l_salt or the method of which to call the
-- DBMS_OBFUSCATOIN toolkit, but you much reset all of your passwords
-- if you choose to do this.
l_password := utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5
(input_string => p_password || substr(l_salt,10,13) || p_username ||
substr(l_salt, 4,10)));
return l_password;
end;
i want to insert encrypted Password of 'password' string into table user_dtl column PASSWORD.The above function will give the encrypted password which can be inserted into USER_DTL as follows:
INSERT INTO USER_DTL(USERNAME,PASSWORD) VALUES(:P1_USERNAME, CUSTOM_HASH(:P1_USERNAME,:P1_PASSWORD))Be sure that PASSWORD column in USER_DTL is of type VARCHAR2 and of adequate length as to accommodate the encrypted password.
Hope it helps!
Regards,
Kiran

How to avoid of application running on Oracle 10g to be copied?

I am a newbie to the security issues, so I need your help, please, where to start / what to read:
I have an application running across many customers on Oracle 10g. I have faced lately that our users
can use their daily backups to establish a totaly new database on a same / different server
and point our application to use it as well.
Is there any way to avoid it? F.e. I thought to use SELECT * FROM v$instance; to get the server instance details, and
in result with some other function to obtain, let say, local server's (WIN2003) details,
such as HD Serial Number, MAC number or so and then to check these values each time user runs the application.
Is it the correct way? What are the basics here at all?
Many thanks in advance to all!

A lot of enterprises, however, actively avoid systems which are locked down to a particular server for very legitimate reasons. If my data center dies in the middle of the night, I sure don't want to have to call your mobile phone so that you can get to a computer, log in to the office network, and get me a new key so that I can finish my emergency failover. If I've got dozens of applications, I absolutely don't want to do that with dozens of different vendors.
It sounds like your problem, though, isn't that users are installing your software on multiple computers it's that they are accessing functionality they haven't licensed. That is generally a much easier problem to solve and doesn't require you to lock anything down to a particular machine. You can create a table LICENSED_CONTENT, for example,
CREATE TABLE licensed_content (
client_id NUMBER,
content_type VARCHAR2(30),
key RAW(128)
)In this case, KEY is, say, a hash (using the DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT packages if you'd like) of the client_id, content_type, and a bit of salt (i.e. a fixed string that only you know). When you sell a license to manage diamond content, you provide a script that inserts the appropriate row in the LICENSED_CONTENT table. When your application starts up, it reads the LICENSED_CONTENT table and verifies the hash before allowing users to access that type of content. This allows legitimate customers to move the software from one system to another but prevents them from accessing new functionality without a new license.
Justin

DBMS_OBFUSCATION_TOOLKIT

Similar Messages

Maybe you are looking for