Chapter 7. DBMS_CRYPTO
Prev   Next

Chapter 7. DBMS_CRYPTO

Table of Contents

7.1. Overview
7.2. Encryption/Decryption Algorithms, Chaining, and Padding
7.3. Hash Functions
7.4. Procedures and Functions
7.4.1. DECRYPT
7.4.2. ENCRYPT
7.4.3. HASH
7.4.4. MAC
7.4.5. RANDOMBYTES

This chapter briefly introduces the DBMS_CRYPTO package, and describes how to use the procedures and functions of the package.

7.1. Overview

DBMS_CRYPTO provides hash functions used for data encryption/decryption and authentication. Since all data encryption/decryption algorithms of this package use keys, secure key management is critical.

For information about managing keys for encryption algorithms, refer to DBMS_OBFUSCATION_TOOLKIT.

Hash functions are used to convert data into a fixed-length hash value.

7.2. Encryption/Decryption Algorithms, Chaining, and Padding

DBMS_CRYPTO provides various algorithms for data encryption or decryption such as DES (Data Encryption Standard), 3DES (Triple DES), and AES (Advanced Encryption Standard), and supports several block chaining or padding methods. It is recommended to use this package instead of the DBMS_OBFUSCATION_TOOLKIT, because this package provides additional algorithm types.

The following algorithms, chaining methods, and padding methods are provided:

  • Algorithms

    AlgorithmDescription
    DES

    Divides data into 64-bit blocks, and uses a 56-bit key for each block. This algorithm was once widely used, but it has been used less recently due to its security vulnerability.

    Uses symmetric keys.

    3DES

    Applies the DES algorithm two or three times to a single data block using a 112(56*2)-bit or 168(56*3)-bit key. This also uses symmetric-key encryption.

    Compared to other algorithms that use symmetric-key encryption, this algorithm requires a relatively long time for encryption and decryption.

    AESDivides data into 128-bit blocks, and uses 128-bit, 192-bit, or 256-bit key. With a stronger design than DES, this algorithm is expected to become the standard encryption algorithm.
    RC4

    A stream cipher type that Ronald Rivest designed for RSA Security. This algorithm is based on the use of a random permutation. Because this algorithm performs a byte-level operation, its speed is faster than other stream cipher types that perform bit-level operation.

    This is used for SSL (Secure Sockets Layer), TLS (Transport Layer Security), and Wireless LAN standards IEEE 802.11 WEP (Wired Equivalent Privacy) protocols.

    ARIA

    A block cipher algorithm developed by Korea's National Security Research Institute. Like AES, this algorithm divides data into 128-bit blocks, and uses a 128-bit, 192-bit, or 256-bit key for each block.

    It has an involutional SPN (Substitution-Permutation Network) structure that is optimized for use with a lightweight environment or hardware.

  • Chaining

    Chaining methodDescription
    ECB (Electronic Codebook) Encrypts each original data block separately.
    CBC (Cipher Block Chaining)

    Encrypts the current block after performing the XOR operation on data in both the current block and the previously encrypted block.

    This method is used to prevent duplicating the same encrypted data for blocks that contain the same data, which occurs in the ECB method.

    CFB (Cipher-Feedback)

    Similar to CBC, but this algorithm performs bit-level encryption and a shift, and is similar to the stream cipher type.

    Therefore, it can encrypt data smaller than the block size.

    OFB Output-Feedback)

    Enables a block cipher to work like a synchronized stream cipher.

    Similar to CFB, except that the cryptography of the current block does not affect the key array combination of the next block. Therefore, even if an error occurs while encrypting the current block, the error does not affect the next block.

  • Padding

    Padding methodDescription
    PKCS5Follows PKCS #5: Password-Based Cryptography Standard.
    NONENo padding. If the data size is not a multiple of the unit block size (128-bit), the data cannot be encrypted, and an error is returned.
    ZEROPads each byte in the remaining space of the final block with zeros. This method should only be used for data for zero terminated data.

7.3. Hash Functions

DBMS_CRYPTO easily converts data into a fixed-length hash value, but makes it difficult to restore the original data from the hash value, and thus can ensure data security.

Hash functions are used for data modification checks or password authentication.

More algorithms and block padding methods are available through MD4, MD5 and SHA. The following describes additional algorithms.

Hash functionDescription
MD5(Message Digest 5)

Creates a 128-bit message digest from the input data to verify data integrity.

This is an extension of MD4. It is slower than MD4, but strengthens data security.

MD4(Message Digest 4)An initial version of MD5. This function creates a 128-bit message digest from the input data to verify data integrity.
SHA-1(Secure Hash Algorithm 1)

SHA is defined in the US NIST Secure Hash Standard (SHS). This function creates a 160-bit message digest from a message of less than 264 bits.

This function is slower than MD5, but more secure against collisions and attacks.

SHA-2(Secure Hash Algorithm 2)

Replaces SHA-1. SHA-224, SHA-256, SHA-384, and SHA-512 can be used according to the number of bytes used in the hash function. Tibero supports SHA-256, SHA-384, and SHA-512.

7.4. Procedures and Functions

This section describes procedures and functions provided by the DBMS_CRYPTO package, in alphabetical order.

7.4.1. DECRYPT

Decrypts encrypted data using the decryption algorithm, chaining method, and padding method specified by the user.

To ensure correct output, the key and block sizes must be appropriate for the specified algorithm. To learn which key and block sizes are appropriate for each algorithm, refer to the aforementioned tables.

Details about the DECRYPT procedure and function are as follows:

  • Prototype

    • Function

      DBMS_CRYPTO.DECRYPT
(
    src                 IN          RAW,
    cipher_type         IN          PLS_INTEGER,
    key                 IN          RAW,
    init_vector         IN          RAW          DEFAULT NULL
) 
RETURN RAW;

    • Procedure

      DBMS_CRYPTO.DECRYPT
(
    dst                 IN OUT NOCOPY   BLOB,
    src                 IN              BLOB,
    cipher_type         IN              PLS_INTEGER,
    key                 IN              RAW,
    init_vector         IN              RAW          DEFAULT NULL
);
      DBMS_CRYPTO.DECRYPT
(
    dst                 IN OUT NOCOPY   CLOB,  
    src                 IN              BLOB,  
    cipher_type         IN              PLS_INTEGER,
    key                 IN              RAW,
    init_vector         IN              RAW          DEFAULT NULL
);

  • Parameters

    ParameterDescription
    dstDecrypted data.
    srcData to decrypt.
    cipher_typeEncryption algorithm, chaining method, and padding method to use.
    keyKey value for decryption.
    init_vectorInitialization vector. If set to NULL, an initialization vector padded with zeros will be used.

  • Return Value

    Decrypted data.

  • Exceptions

    ExceptionDescription
    INVALID_ARGUMENTOccurs if a parameter is NULL.
    INVALID_NTH_ARGUMENTOccurs if the specified cipher_type value is invalid.
    INVALID_INPUTOccurs if the length of input_data is not a multiple of 8.
    KEY_TOO_SHORTOccurs if the length of key is shorter than required.

  • Example

    DECLARE
    data RAW(256);
    key RAW(16);
    encrypted_data RAW(256);
    decrypted_data RAW(256);
    iv RAW(256);
BEGIN
    data := '0102030405AE030D0102030405AE030D';
    key := '0A123B8E002CD3FFA021B3E800C23DFF';
    iv := '00000000000000000000000000000000';

    encrypted_data := DBMS_CRYPTO.ENCRYPT(
            src => data, 
    cipher_type => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + 
                   DBMS_CRYPTO.PAD_PKCS5, 
            key => key,
            init_vector => iv);

    encrypted_data := DBMS_CRYPTO.DECRYPT(
            src => encrypted_data, 
    cipher_type => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + 
                   DBMS_CRYPTO.PAD_PKCS5, 
            key => key,
            init_vector => iv);
END;

7.4.2. ENCRYPT

Encrypts data using the encryption algorithm, chaining method, and padding method specified by the user.

To ensure correct output, the key and block sizes must be appropriate for the specified algorithm. To learn which key and block sizes are appropriate for each algorithm, refer to the aforementioned tables.

Details about the ENCRYPT procedure and function are as follows:

  • Prototypes

    • Functions

      DBMS_CRYPTO.ENCRYPT
              ( src IN RAW, cipher_type IN PLS_INTEGER, key IN RAW,
              init_vector IN RAW DEFAULT NULL ) RETURN RAW;
      DBMS_CRYPTO.HASH
              ( src IN BLOB, hash_type IN PLS_INTEGER ) RETURN
              RAW;
      DBMS_CRYPTO.HASH
              ( src IN CLOB, hash_type IN PLS_INTEGER ) RETURN
              RAW;

    • Procedures

      DBMS_CRYPTO.ENCRYPT
              ( dst IN OUT NOCOPY BLOB, src IN BLOB, cipher_type IN
              PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL
              );
      DBMS_CRYPTO.ENCRYPT
(
    dst                 IN OUT NOCOPY   BLOB,
    src                 IN              CLOB,
    cipher_type         IN              PLS_INTEGER,
    key                 IN              RAW,
    init_vector         IN              RAW          DEFAULT NULL
);

  • Parameters

    • Function

      ParameterDescription
      srcSource data.
      hash_type

      Hash algorithm to use.

      The following are the available hash function algorithms:

          hash_md4           CONSTANT PLS_INTEGER :=     1;
    hash_md5           CONSTANT PLS_INTEGER :=     2;
    hash_sh1           CONSTANT PLS_INTEGER :=     3;
    hash_sh256         CONSTANT PLS_INTEGER :=     4;
    hash_sh384         CONSTANT PLS_INTEGER :=     5;
    hash_sh512         CONSTANT PLS_INTEGER :=     6;

    • Procedure

      ParameterDescription
      dstDecrypted data.
      srcData to decrypt.
      cipher_typeEncryption algorithm, chaining method, and padding method to use.
      keyKey value for decryption.
      init_vectorInitialization vector. If set to NULL, an initialization vector padded with zeros will be used.

  • Return Value

    Encrypted data.

  • Exceptions

    ExceptionDescription
    INVALID_ARGUMENTOccurs if a parameter is NULL.
    INVALID_NTH_ARGUMENTOccurs if the specified cipher_type value is invalid.
    INVALID_INPUTOccurs if the length of input_data is not a multiple of 8.
    KEY_TOO_SHORTOccurs if the length of key is shorter than required.

  • Example

    DECLARE
    data RAW(256);
    key RAW(16);
    encrypted_data RAW(256);
    decrypted_data RAW(256);
    iv RAW(256);
BEGIN
    data := '0102030405AE030D0102030405AE030D';
    key := '0A123B8E002CD3FFA021B3E800C23DFF';
    iv := '00000000000000000000000000000000';

    encrypted_data := DBMS_CRYPTO.ENCRYPT(
            src => data, 
    cipher_type => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + 
                   DBMS_CRYPTO.PAD_PKCS5, 
            key => key,
            init_vector => iv);
END;

7.4.3. HASH

Converts data into a fixed-length hash value using a user-specified algorithm.

Details about the HASH function are as follows:

  • Prototype

    DBMS_CRYPTO.HASH
          ( src IN RAW, hash_type IN PLS_INTEGER ) RETURN RAW;

  • Parameters

    ParameterDescription
    srcOriginal data.
    hash_typeHash function to use.

  • Exceptions

    ExceptionDescription
    INVALID_ARGUMENTOccurs if a parameter is NULL.
    INVALID_NTH_ARGUMENTOccurs if the specified hash_type value is invalid.

  • Example

    DECLARE
    input varchar2(100);
    hash_val raw(20);
BEGIN
    input := 'DBMS_CRYPTO.HASH test';

    hash_val := DBMS_CRYPTO.HASH(
             src => utl_raw.cast_to_raw(input), 
             hash_type => DBMS_CRYPTO.HASH_SH1);
END;

7.4.4. MAC

Creates a Message Authentication Code (MAC) for the specified KEY by using the specified data and algorithm.

Details about the MAC function are as follows:

  • Prototype

    DBMS_CRYPTO.MAC
(
    src                 IN          RAW,
    mac_type            IN          PLS_INTEGER, 
    key                 IN          RAW
) 
RETURN RAW;

  • Parameters

    ParameterDescription
    srcSource data.
    mac_type

    MAC algorithm to use.

    The following are available algorithm constants.

        hmac_md5           CONSTANT PLS_INTEGER :=     1;
    hmac_sh1           CONSTANT PLS_INTEGER :=     2;
    hmac_sh256         CONSTANT PLS_INTEGER :=     3;
    hmac_sh384         CONSTANT PLS_INTEGER :=     4;
    hmac_sh512         CONSTANT PLS_INTEGER :=     5;

    keyKEY data to use.

  • Exceptions

    ExceptionDescription
    INVALID_ARGUMENTOccurs if a parameter is NULL.
    INVALID_NTH_ARGUMENTOccurs if the specified mac_type value is invalid.

  • Example

    SET SERVEROUTPUT ON
DECLARE
    vKey     VARCHAR2(2000);
    vHashed  RAW(20);
    vText    VARCHAR2(2000);
BEGIN
    vText := 'test test 1234 !@#$ +-/*';
    vKey  := 'PASSCODE';
    vHashed := DBMS_CRYPTO.MAC(
      src => UTL_I18N.STRING_TO_RAW (vText, 'MSWIN949'),
      mac_type => DBMS_CRYPTO.HMAC_SH1,
      key => UTL_I18N.STRING_TO_RAW(vKey, 'MSWIN949'));
    DBMS_OUTPUT.PUT_LINE(vText);
    DBMS_OUTPUT.PUT_LINE(vKey);
    DBMS_OUTPUT.PUT_LINE(vHashed);
END;

7.4.5. RANDOMBYTES

Returns data with the specified size.

Details about the RANDOMBYTES function are as follows:

  • Prototype

    DBMS_CRYPTO.RANDOMBYTES
          ( number_bytes IN PLS_INTEGER ) RETURN RAW;

  • Parameters

    ParameterDescription
    number_bytesSize of data to return.

  • Example

    DECLARE l_key RAW (16); BEGIN
          l_key := DBMS_CRYPTO.randombytes (16); DBMS_OUTPUT.PUT_LINE(l_key);
          END
Prev   Next
Chapter 6. DBMS_AQADM Home Chapter 8. DBMS_DB_VERSION