Abstract Explain the DES3Encrypt and DES3Decrypt procedures. Product Name, Product Version Oracle Server Enterprise Edition
Versions 8.1.7 , 9.0.1 and 9.2.0. Platform Generic Date Created 29-OKT-2002 Instructions First, create two functions my_des3encrypt and my_des3decrypt that mimic the DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures to show how the CBC mode is implemented using an IV (or seed). Next, use the functions by encrypting a long string and decrypting it with the supplied DES3Decrypt procedure: the input string is encrypted 8 bytes at a time where the encrypted output from each step is fed back into my_des3encrypt as the IV. The second example works the other way round with one block of 8 bytes (up to the reader to extend this example to a longer string). PROOFREAD THIS SCRIPT BEFORE USING IT! Due to differences in the way text editors, e-mail packages, and operating systems handle text formatting (spaces, tabs, and carriage returns), this script may not be in an executable state when you first receive it. Check over the script to ensure that errors of this type are corrected. Description This article explains -> the implementation of the DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures -> the relationship between the DESEncrypt and DESDecrypt procedures with the way outer cipher-block-chaining (CBC) mode is achieved. The following example uses the 3 key variant of triple DES required by a 192 bit key. Oracle uses the scheme C = Ek3(Dk2(Ek1(P))) for encryption where : -> E is a DES encryption round -> D is a DES decryption round -> P is the plaintext -> C is the ciphertext In the CBC mode of a block cipher, the plaintext block i is XORed with the previous ciphertext block i-1 before it is encrypted. Usually, a random seed is used for the first block that is sent along with the ciphertext. The Oracle implementation uses a fixed seed (0123456789ABCDEF). CBC mode enhances security because every block depends on its predecessors and thus makes breaking of the code or tampering with it more difficult. To enhance security even further, application developers can prefix the plaintext with a random string of 8 characters that can be discarded on decryption, this in effect results in using a random seed instead of the fixed seed, it has the advantage that even plaintexts that are the same or start the same result in ciphertexts that are completely different. References Oracle 9i Supplied PL/SQL Packages and Types Reference, Volume 2 release 1 (9.0.1) <Note 1053864.6> How to Generate Random Numbers <Note:228636.1> Meaning of the "WHICH" parameter in the procedures: DES3Decrypt AND DES3Encrypt <Note:225214.1> New IV Parameter to DES3Encrypt and DES3Decrypt Enhances Interoperability Script create or replace function my_des3encrypt(plaintext in raw, IV in RAW, key1 in raw, key2 in raw ,key3 in raw) return raw as -- 3 key 3des encryption implementation: Ek3(Dk2(Ek1(P))) tempstore1 raw(128); tempstore2 raw(128); tempstore3 raw(128); xored raw(128); begin xored := utl_raw.bit_xor(IV,plaintext); dbms_obfuscation_toolkit.desencrypt( input => xored, key => key1, encrypted_data => tempstore1); dbms_obfuscation_toolkit.desdecrypt( input => tempstore1, key => key2, decrypted_data => tempstore2); dbms_obfuscation_toolkit.desencrypt( input => tempstore2, key => key3, encrypted_data => tempstore3); return tempstore3; end my_des3encrypt; / show err create or replace function my_des3decrypt(ciphertext in raw, IV in raw, key1 in raw, key2 in raw ,key3 in raw) return raw as -- 3 key 3des decryption implementation: Dk1(Ek2(Dk3(C))) tempstore1 raw(128); tempstore2 raw(128); tempstore3 raw(128); xored raw(128); begin dbms_obfuscation_toolkit.desdecrypt( input => ciphertext, key => key3, decrypted_data => tempstore1); dbms_obfuscation_toolkit.desencrypt( input => tempstore1, key => key2, encrypted_data => tempstore2); dbms_obfuscation_toolkit.desdecrypt( input => tempstore2, key => key1, decrypted_data => tempstore3); xored := utl_raw.bit_xor(IV,tempstore3); return xored; end my_des3decrypt; / show err set serveroutput on -- test encryption with my_des3encrypt, decryption with supplied des3decrypt declare teststringin varchar2(256); teststringout varchar2(256); testplain1 varchar2(8); testraw1 raw(1024); testmy3des1 raw(128); longtestraw raw(1024); key1 raw(128); key2 raw(128); key3 raw(128); des3key raw(256); IV raw(128); l number; begin teststringin := 'This is the input string for my test routine !!!'; -- 123456781234567812345678123456781234567812345678 key1 := hextoraw('A1B890F12D543680'); key2 := hextoraw('132FD66F5009895C'); key3 := hextoraw('06F58436588321FF'); IV := hextoraw('0123456789ABCDEF'); testplain1 := substr(teststringin,1,8); testraw1 := utl_raw.cast_to_raw(testplain1); testmy3des1 := my_des3encrypt(testraw1,IV,key1,key2,key3); l := length(teststringin)/8; longtestraw := testmy3des1; for i in 2..l loop testplain1 := substr(teststringin,i*8-7,8); testraw1 := utl_raw.cast_to_raw(testplain1); -- feedback the previous encrypted block as IV for the CBC testmy3des1 := my_des3encrypt(testraw1,testmy3des1,key1,key2,key3); longtestraw := longtestraw||testmy3des1; end loop; -- concatenate the keys for the DES3Decrypt routine. des3key := key1||key2||key3; dbms_obfuscation_toolkit.DES3Decrypt( input => longtestraw, key => des3key, decrypted_data => testraw1, which => 1); teststringout := utl_raw.cast_to_varchar2(testraw1); dbms_output.put_line(teststringout); end; / -- test encryption with des3encrypt, decryption with my_des3decrypt declare testplain1 varchar2(8); testraw1 raw(128); testmy3des1 raw(128); key1 raw(128); key2 raw(128); key3 raw(128); des3key raw(256); IV raw(128); begin testplain1 := 'OtherWay'; testraw1 := utl_raw.cast_to_raw(testplain1); key1 := hextoraw('0123456789ABCDEF'); key2 := hextoraw('FEDCBA9876543210'); key3 := hextoraw('01020304050607CF'); IV := hextoraw('0123456789ABCDEF'); des3key := key1||key2||key3; dbms_obfuscation_toolkit.DES3Encrypt( input => testraw1, key => des3key, encrypted_data => testmy3des1, which => 1); testraw1 := my_des3decrypt(testmy3des1,IV,key1,key2,key3); testplain1 := utl_raw.cast_to_varchar2(testraw1); dbms_output.put_line(testplain1); end; / Sample Output This is the input string for my test routine !!! PL/SQL procedure successfully completed. SQL> OtherWay PL/SQL procedure successfully completed. Disclaimer EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE, THE INFORMATION, SOFTWARE, PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. ORACLE EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. ORACLE MAKES NO WARRANTY THAT: (A) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SOFTWARE WILL BE ACCURATE OR RELIABLE; OR (B) THE INFORMATION, OR OTHER MATERIAL OBTAINED WILL MEET YOUR EXPECTATIONS. ANY CONTENT, MATERIALS, INFORMATION OR SOFTWARE DOWNLOADED OR OTHERWISE OBTAINED IS DONE AT YOUR OWN DISCRETION AND RISK. ORACLE SHALL HAVE NO RESPONSIBILITY FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY CONTENT, MATERIALS, INFORMATION OR SOFTWARE. ORACLE RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE SOFTWARE AT ANY TIME WITHOUT NOTICE. Limitation of Liability IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE SOFTWARE. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. -----Mensagem original----- De: oracle_br@yahoogrupos.com.br [mailto:[EMAIL PROTECTED] nome de Fábio Bispo Enviada em: quarta-feira, 31 de agosto de 2005 17:02 Para: oracle_br@yahoogrupos.com.br Assunto: Re: [oracle_br] replicação do banco de dados de produção (dbms_obfuscation_toolkit) Tem como vc enviar aqui pra lista um exemplo não? Obrigado Fábio ----- Original Message ----- From: Gari Julio Einsfeldt To: oracle_br@yahoogrupos.com.br Sent: Wednesday, August 31, 2005 4:03 PM Subject: RES: [oracle_br] replicação do banco de dados de produção (dbms_obfuscation_toolkit) procura na lista pela package dbms_obfuscation_toolkit tem varios exemplos de como usar -----Mensagem original----- De: oracle_br@yahoogrupos.com.br [mailto:[EMAIL PROTECTED] nome de Fábio Bispo Enviada em: quarta-feira, 31 de agosto de 2005 15:28 Para: oracle_br@yahoogrupos.com.br Assunto: Re: [oracle_br] replicação do banco de dados de produção Pessoal, Preciso que um campo senha de uma tabela no meu banco seja criptografado. Algume sabe como fazer isso? Obrigado Fábio ----- Original Message ----- From: Renan da Silveira Medeiros To: oracle_br@yahoogrupos.com.br Sent: Wednesday, August 31, 2005 2:34 PM Subject: Re: [oracle_br] replicação do banco de dados de produção Caro Edu, se quiser entrar em contato direto comigo ([EMAIL PROTECTED]), poderemos falar sobre um software de replicação. Renan Medeiros Coordenador de Suporte/Treinamento/Pré-venda Unimix Tecnologia Ltda 0 xx 61 9994 0586 0 xx 61 3201 8888 ----- Original Message ----- From: edu_ora To: oracle_br@yahoogrupos.com.br Sent: Wednesday, August 31, 2005 2:28 PM Subject: [oracle_br] replicação do banco de dados de produção Boa tarde pessoal, estou precisando replicar os dados da minha base de produção para uma base que será utilizada, a principio, apenas como consulta. Hoje tenho um script que faz o import e é agendado no windows para que execute todas as noites. Gostaria de saber se alguém se utiliza de uma outra forma para se fazer isto. S.O.: Windows 2000 SP4 B.D.: Oracle 9.2.0.5.0 Standard Edition Obrigado, Eduardo ______________________________________________________________________ Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ Falar com os Moderadores:([EMAIL PROTECTED]) Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar ______________________________________________________________________ Yahoo! Grupos, um serviço oferecido por: PUBLICIDADE ------------------------------------------------------------------------------ Links do Yahoo! Grupos a.. Para visitar o site do seu grupo na web, acesse: http://br.groups.yahoo.com/group/oracle_br/ b.. Para sair deste grupo, envie um e-mail para: [EMAIL PROTECTED] c.. O uso que você faz do Yahoo! Grupos está sujeito aos Termos do Serviço do Yahoo!. [As partes desta mensagem que não continham texto foram removidas] ______________________________________________________________________ Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ Falar com os Moderadores:([EMAIL PROTECTED]) Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar ______________________________________________________________________ Yahoo! Grupos, um serviço oferecido por: PUBLICIDADE ------------------------------------------------------------------------------ Links do Yahoo! Grupos a.. Para visitar o site do seu grupo na web, acesse: http://br.groups.yahoo.com/group/oracle_br/ b.. Para sair deste grupo, envie um e-mail para: [EMAIL PROTECTED] c.. O uso que você faz do Yahoo! Grupos está sujeito aos Termos do Serviço do Yahoo!. [As partes desta mensagem que não continham texto foram removidas] ______________________________________________________________________ Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ Falar com os Moderadores:([EMAIL PROTECTED]) Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar ______________________________________________________________________ Links do Yahoo! Grupos ______________________________________________________________________ Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ Falar com os Moderadores:([EMAIL PROTECTED]) Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar ______________________________________________________________________ Yahoo! Grupos, um serviço oferecido por: PUBLICIDADE ------------------------------------------------------------------------------ Links do Yahoo! Grupos a.. Para visitar o site do seu grupo na web, acesse: http://br.groups.yahoo.com/group/oracle_br/ b.. Para sair deste grupo, envie um e-mail para: [EMAIL PROTECTED] c.. O uso que você faz do Yahoo! Grupos está sujeito aos Termos do Serviço do Yahoo!. [As partes desta mensagem que não continham texto foram removidas] ______________________________________________________________________ Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ Falar com os Moderadores:([EMAIL PROTECTED]) Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar ______________________________________________________________________ Links do Yahoo! Grupos ______________________________________________________________________ Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ Falar com os Moderadores:([EMAIL PROTECTED]) Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar ______________________________________________________________________ Links do Yahoo! Grupos <*> Para visitar o site do seu grupo na web, acesse: http://br.groups.yahoo.com/group/oracle_br/ <*> Para sair deste grupo, envie um e-mail para: [EMAIL PROTECTED] <*> O uso que você faz do Yahoo! Grupos está sujeito aos: http://br.yahoo.com/info/utos.html