Abstract
Explain the DES3Encrypt and DES3Decrypt procedures.
Product Name, Product Version
Oracle Server Enterprise Edition
Versions 8.1.7 , 9.0.1 and 9.2.0.
Platform Generic
Date Created 29-OKT-2002
Instructions
First, create two functions my_des3encrypt and my_des3decrypt that mimic the
DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures to show how the
CBC mode is implemented using an IV (or seed). Next, use the functions by
encrypting a long string and decrypting it with the supplied DES3Decrypt
procedure: the input string is encrypted 8 bytes at a time where the encrypted
output from each step is fed back into my_des3encrypt as the IV. The second
example works the other way round with one block of 8 bytes (up to the reader
to extend this example to a longer string).
PROOFREAD THIS SCRIPT BEFORE USING IT! Due to differences in the way text
editors, e-mail packages, and operating systems handle text formatting (spaces,
tabs, and carriage returns), this script may not be in an executable state
when you first receive it. Check over the script to ensure that errors of
this type are corrected.
Description
This article explains
-> the implementation of the DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and
DES3Decrypt procedures
-> the relationship between the DESEncrypt and DESDecrypt procedures with the
way outer cipher-block-chaining (CBC) mode is achieved.
The following example uses the 3 key variant of triple DES required by a 192
bit
key.
Oracle uses the scheme C = Ek3(Dk2(Ek1(P))) for encryption where :
-> E is a DES encryption round
-> D is a DES decryption round
-> P is the plaintext
-> C is the ciphertext
In the CBC mode of a block cipher, the plaintext block i is XORed with the
previous ciphertext block i-1 before it is encrypted. Usually, a random seed
is used for the first block that is sent along with the ciphertext.
The Oracle implementation uses a fixed seed (0123456789ABCDEF). CBC mode
enhances security because every block depends on its predecessors and thus
makes breaking of the code or tampering with it more difficult.
To enhance security even further, application developers can prefix the
plaintext with a random string of 8 characters that can be discarded on
decryption, this in effect results in using a random seed instead of the
fixed seed, it has the advantage that even plaintexts that are the same
or start the same result in ciphertexts that are completely different.
References
Oracle 9i Supplied PL/SQL Packages
and Types Reference, Volume 2 release 1 (9.0.1)
<Note 1053864.6> How to Generate Random Numbers
<Note:228636.1>
Meaning of the "WHICH" parameter in the procedures:
DES3Decrypt AND DES3Encrypt
<Note:225214.1>
New IV Parameter to DES3Encrypt and DES3Decrypt
Enhances Interoperability
Script
create or replace function my_des3encrypt(plaintext in raw, IV in RAW,
key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des encryption implementation: Ek3(Dk2(Ek1(P)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored raw(128);
begin
xored := utl_raw.bit_xor(IV,plaintext);
dbms_obfuscation_toolkit.desencrypt(
input => xored,
key => key1,
encrypted_data => tempstore1);
dbms_obfuscation_toolkit.desdecrypt(
input => tempstore1,
key => key2,
decrypted_data => tempstore2);
dbms_obfuscation_toolkit.desencrypt(
input => tempstore2,
key => key3,
encrypted_data => tempstore3);
return tempstore3;
end my_des3encrypt;
/
show err
create or replace function my_des3decrypt(ciphertext in raw, IV in raw,
key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des decryption implementation: Dk1(Ek2(Dk3(C)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored raw(128);
begin
dbms_obfuscation_toolkit.desdecrypt(
input => ciphertext,
key => key3,
decrypted_data => tempstore1);
dbms_obfuscation_toolkit.desencrypt(
input => tempstore1,
key => key2,
encrypted_data => tempstore2);
dbms_obfuscation_toolkit.desdecrypt(
input => tempstore2,
key => key1,
decrypted_data => tempstore3);
xored := utl_raw.bit_xor(IV,tempstore3);
return xored;
end my_des3decrypt;
/
show err
set serveroutput on
-- test encryption with my_des3encrypt, decryption with supplied des3decrypt
declare
teststringin varchar2(256);
teststringout varchar2(256);
testplain1 varchar2(8);
testraw1 raw(1024);
testmy3des1 raw(128);
longtestraw raw(1024);
key1 raw(128);
key2 raw(128);
key3 raw(128);
des3key raw(256);
IV raw(128);
l number;
begin
teststringin := 'This is the input string for my test routine !!!';
-- 123456781234567812345678123456781234567812345678
key1 := hextoraw('A1B890F12D543680');
key2 := hextoraw('132FD66F5009895C');
key3 := hextoraw('06F58436588321FF');
IV := hextoraw('0123456789ABCDEF');
testplain1 := substr(teststringin,1,8);
testraw1 := utl_raw.cast_to_raw(testplain1);
testmy3des1 := my_des3encrypt(testraw1,IV,key1,key2,key3);
l := length(teststringin)/8;
longtestraw := testmy3des1;
for i in 2..l loop
testplain1 := substr(teststringin,i*8-7,8);
testraw1 := utl_raw.cast_to_raw(testplain1);
-- feedback the previous encrypted block as IV for the CBC
testmy3des1 := my_des3encrypt(testraw1,testmy3des1,key1,key2,key3);
longtestraw := longtestraw||testmy3des1;
end loop;
-- concatenate the keys for the DES3Decrypt routine.
des3key := key1||key2||key3;
dbms_obfuscation_toolkit.DES3Decrypt(
input => longtestraw,
key => des3key,
decrypted_data => testraw1,
which => 1);
teststringout := utl_raw.cast_to_varchar2(testraw1);
dbms_output.put_line(teststringout);
end;
/
-- test encryption with des3encrypt, decryption with my_des3decrypt
declare
testplain1 varchar2(8);
testraw1 raw(128);
testmy3des1 raw(128);
key1 raw(128);
key2 raw(128);
key3 raw(128);
des3key raw(256);
IV raw(128);
begin
testplain1 := 'OtherWay';
testraw1 := utl_raw.cast_to_raw(testplain1);
key1 := hextoraw('0123456789ABCDEF');
key2 := hextoraw('FEDCBA9876543210');
key3 := hextoraw('01020304050607CF');
IV := hextoraw('0123456789ABCDEF');
des3key := key1||key2||key3;
dbms_obfuscation_toolkit.DES3Encrypt(
input => testraw1,
key => des3key,
encrypted_data => testmy3des1,
which => 1);
testraw1 := my_des3decrypt(testmy3des1,IV,key1,key2,key3);
testplain1 := utl_raw.cast_to_varchar2(testraw1);
dbms_output.put_line(testplain1);
end;
/
Sample Output
This is the input string for my test routine !!!
PL/SQL procedure successfully completed.
SQL>
OtherWay
PL/SQL procedure successfully completed.
Disclaimer
EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE, THE INFORMATION, SOFTWARE,
PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. ORACLE EXPRESSLY DISCLAIMS
ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NON-INFRINGEMENT. ORACLE MAKES NO WARRANTY THAT: (A) THE RESULTS
THAT MAY BE OBTAINED FROM THE USE OF THE SOFTWARE WILL BE ACCURATE OR
RELIABLE; OR (B) THE INFORMATION, OR OTHER MATERIAL OBTAINED WILL MEET YOUR
EXPECTATIONS. ANY CONTENT, MATERIALS, INFORMATION OR SOFTWARE DOWNLOADED OR
OTHERWISE OBTAINED IS DONE AT YOUR OWN DISCRETION AND RISK. ORACLE SHALL HAVE
NO RESPONSIBILITY FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT
RESULTS FROM THE DOWNLOAD OF ANY CONTENT, MATERIALS, INFORMATION OR SOFTWARE.
ORACLE RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE SOFTWARE AT ANY
TIME WITHOUT NOTICE.
Limitation of Liability
IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE,
DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN
CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE SOFTWARE.
SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY.
ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
-----Mensagem original-----
De: oracle_br@yahoogrupos.com.br [mailto:[EMAIL PROTECTED]
nome de Fábio Bispo
Enviada em: quarta-feira, 31 de agosto de 2005 17:02
Para: oracle_br@yahoogrupos.com.br
Assunto: Re: [oracle_br] replicação do banco de dados de produção
(dbms_obfuscation_toolkit)
Tem como vc enviar aqui pra lista um exemplo não?
Obrigado
Fábio
----- Original Message -----
From: Gari Julio Einsfeldt
To: oracle_br@yahoogrupos.com.br
Sent: Wednesday, August 31, 2005 4:03 PM
Subject: RES: [oracle_br] replicação do banco de dados de produção
(dbms_obfuscation_toolkit)
procura na lista pela package
dbms_obfuscation_toolkit
tem varios exemplos de como usar
-----Mensagem original-----
De: oracle_br@yahoogrupos.com.br [mailto:[EMAIL PROTECTED]
nome de Fábio Bispo
Enviada em: quarta-feira, 31 de agosto de 2005 15:28
Para: oracle_br@yahoogrupos.com.br
Assunto: Re: [oracle_br] replicação do banco de dados de produção
Pessoal,
Preciso que um campo senha de uma tabela no meu banco seja criptografado.
Algume sabe como fazer isso?
Obrigado
Fábio
----- Original Message -----
From: Renan da Silveira Medeiros
To: oracle_br@yahoogrupos.com.br
Sent: Wednesday, August 31, 2005 2:34 PM
Subject: Re: [oracle_br] replicação do banco de dados de produção
Caro Edu, se quiser entrar em contato direto comigo ([EMAIL PROTECTED]),
poderemos falar sobre um software de replicação.
Renan Medeiros
Coordenador de Suporte/Treinamento/Pré-venda
Unimix Tecnologia Ltda
0 xx 61 9994 0586
0 xx 61 3201 8888
----- Original Message -----
From: edu_ora
To: oracle_br@yahoogrupos.com.br
Sent: Wednesday, August 31, 2005 2:28 PM
Subject: [oracle_br] replicação do banco de dados de produção
Boa tarde pessoal, estou precisando replicar os dados da minha base de
produção para uma base que será utilizada, a principio, apenas como
consulta. Hoje tenho um script que faz o import e é agendado no
windows para que execute todas as noites.
Gostaria de saber se alguém se utiliza de uma outra forma para se
fazer isto.
S.O.: Windows 2000 SP4
B.D.: Oracle 9.2.0.5.0 Standard Edition
Obrigado,
Eduardo
______________________________________________________________________
Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/
Falar com os Moderadores:([EMAIL PROTECTED])
Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar
______________________________________________________________________
Yahoo! Grupos, um serviço oferecido por:
PUBLICIDADE
------------------------------------------------------------------------------
Links do Yahoo! Grupos
a.. Para visitar o site do seu grupo na web, acesse:
http://br.groups.yahoo.com/group/oracle_br/
b.. Para sair deste grupo, envie um e-mail para:
[EMAIL PROTECTED]
c.. O uso que você faz do Yahoo! Grupos está sujeito aos Termos do
Serviço do Yahoo!.
[As partes desta mensagem que não continham texto foram removidas]
______________________________________________________________________
Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/
Falar com os Moderadores:([EMAIL PROTECTED])
Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar
______________________________________________________________________
Yahoo! Grupos, um serviço oferecido por:
PUBLICIDADE
------------------------------------------------------------------------------
Links do Yahoo! Grupos
a.. Para visitar o site do seu grupo na web, acesse:
http://br.groups.yahoo.com/group/oracle_br/
b.. Para sair deste grupo, envie um e-mail para:
[EMAIL PROTECTED]
c.. O uso que você faz do Yahoo! Grupos está sujeito aos Termos do
Serviço do Yahoo!.
[As partes desta mensagem que não continham texto foram removidas]
______________________________________________________________________
Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/
Falar com os Moderadores:([EMAIL PROTECTED])
Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar
______________________________________________________________________
Links do Yahoo! Grupos
______________________________________________________________________
Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/
Falar com os Moderadores:([EMAIL PROTECTED])
Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar
______________________________________________________________________
Yahoo! Grupos, um serviço oferecido por:
PUBLICIDADE
------------------------------------------------------------------------------
Links do Yahoo! Grupos
a.. Para visitar o site do seu grupo na web, acesse:
http://br.groups.yahoo.com/group/oracle_br/
b.. Para sair deste grupo, envie um e-mail para:
[EMAIL PROTECTED]
c.. O uso que você faz do Yahoo! Grupos está sujeito aos Termos do Serviço
do Yahoo!.
[As partes desta mensagem que não continham texto foram removidas]
______________________________________________________________________
Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/
Falar com os Moderadores:([EMAIL PROTECTED])
Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar
______________________________________________________________________
Links do Yahoo! Grupos
______________________________________________________________________
Histórico: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/
Falar com os Moderadores:([EMAIL PROTECTED])
Dorian Anderson Soutto - Fernanda Damous - Alisson Aguiar
______________________________________________________________________
Links do Yahoo! Grupos
<*> Para visitar o site do seu grupo na web, acesse:
http://br.groups.yahoo.com/group/oracle_br/
<*> Para sair deste grupo, envie um e-mail para:
[EMAIL PROTECTED]
<*> O uso que você faz do Yahoo! Grupos está sujeito aos:
http://br.yahoo.com/info/utos.html
