Table of Contents
This chapter briefly introduces the DBMS_CRYPTO package, and describes how to use the procedures and functions of the package.
DBMS_CRYPTO provides hash functions used for data encryption/decryption and authentication. Since all data encryption/decryption algorithms of this package use keys, secure key management is critical.
For information about managing keys for encryption algorithms, refer to DBMS_OBFUSCATION_TOOLKIT.
Hash functions are used to convert data into a fixed-length hash value.
DBMS_CRYPTO provides various algorithms for data encryption or decryption such as DES (Data Encryption Standard), 3DES (Triple DES), and AES (Advanced Encryption Standard), and supports several block chaining or padding methods. It is recommended to use this package instead of the DBMS_OBFUSCATION_TOOLKIT, because this package provides additional algorithm types.
The following algorithms, chaining methods, and padding methods are provided:
Algorithms
Chaining
Padding
DBMS_CRYPTO easily converts data into a fixed-length hash value, but makes it difficult to restore the original data from the hash value, and thus can ensure data security.
Hash functions are used for data modification checks or password authentication.
More algorithms and block padding methods are available through MD4, MD5 and SHA. The following describes additional algorithms.
This section describes procedures and functions provided by the DBMS_CRYPTO package, in alphabetical order.
Decrypts encrypted data using the decryption algorithm, chaining method, and padding method specified by the user.
To ensure correct output, the key and block sizes must be appropriate for the specified algorithm. To learn which key and block sizes are appropriate for each algorithm, refer to the aforementioned tables.
Details about the DECRYPT procedure and function are as follows:
Prototype
Function
DBMS_CRYPTO.DECRYPT ( src IN RAW, cipher_type IN PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL ) RETURN RAW;
Procedure
DBMS_CRYPTO.DECRYPT ( dst IN OUT NOCOPY BLOB, src IN BLOB, cipher_type IN PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL );
DBMS_CRYPTO.DECRYPT ( dst IN OUT NOCOPY CLOB, src IN BLOB, cipher_type IN PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL );
Parameters
Parameter | Description |
---|---|
dst | Decrypted data. |
src | Data to decrypt. |
cipher_type | Encryption algorithm, chaining method, and padding method to use. |
key | Key value for decryption. |
init_vector | Initialization vector. If set to NULL, an initialization vector padded with zeros will be used. |
Return Value
Decrypted data.
Exceptions
Exception | Description |
---|---|
INVALID_ARGUMENT | Occurs if a parameter is NULL. |
INVALID_NTH_ARGUMENT | Occurs if the specified cipher_type value is invalid. |
INVALID_INPUT | Occurs if the length of input_data is not a multiple of 8. |
KEY_TOO_SHORT | Occurs if the length of key is shorter than required. |
Example
DECLARE data RAW(256); key RAW(16); encrypted_data RAW(256); decrypted_data RAW(256); iv RAW(256); BEGIN data := '0102030405AE030D0102030405AE030D'; key := '0A123B8E002CD3FFA021B3E800C23DFF'; iv := '00000000000000000000000000000000'; encrypted_data := DBMS_CRYPTO.ENCRYPT( src => data, cipher_type => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5, key => key, init_vector => iv); encrypted_data := DBMS_CRYPTO.DECRYPT( src => encrypted_data, cipher_type => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5, key => key, init_vector => iv); END;
Encrypts data using the encryption algorithm, chaining method, and padding method specified by the user.
To ensure correct output, the key and block sizes must be appropriate for the specified algorithm. To learn which key and block sizes are appropriate for each algorithm, refer to the aforementioned tables.
Details about the ENCRYPT procedure and function are as follows:
Prototypes
Functions
DBMS_CRYPTO.ENCRYPT ( src IN RAW, cipher_type IN PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL ) RETURN RAW;
DBMS_CRYPTO.HASH ( src IN BLOB, hash_type IN PLS_INTEGER ) RETURN RAW;
DBMS_CRYPTO.HASH ( src IN CLOB, hash_type IN PLS_INTEGER ) RETURN RAW;
Procedures
DBMS_CRYPTO.ENCRYPT ( dst IN OUT NOCOPY BLOB, src IN BLOB, cipher_type IN PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL );
DBMS_CRYPTO.ENCRYPT ( dst IN OUT NOCOPY BLOB, src IN CLOB, cipher_type IN PLS_INTEGER, key IN RAW, init_vector IN RAW DEFAULT NULL );
Parameters
Function
Parameter | Description |
---|---|
src | Source data. |
hash_type | Hash algorithm to use. The following are the available hash function algorithms:
hash_md4 CONSTANT PLS_INTEGER := 1; hash_md5 CONSTANT PLS_INTEGER := 2; hash_sh1 CONSTANT PLS_INTEGER := 3; hash_sh256 CONSTANT PLS_INTEGER := 4; hash_sh384 CONSTANT PLS_INTEGER := 5; hash_sh512 CONSTANT PLS_INTEGER := 6;
|
Procedure
Parameter | Description |
---|---|
dst | Decrypted data. |
src | Data to decrypt. |
cipher_type | Encryption algorithm, chaining method, and padding method to use. |
key | Key value for decryption. |
init_vector | Initialization vector. If set to NULL, an initialization vector padded with zeros will be used. |
Return Value
Encrypted data.
Exceptions
Exception | Description |
---|---|
INVALID_ARGUMENT | Occurs if a parameter is NULL. |
INVALID_NTH_ARGUMENT | Occurs if the specified cipher_type value is invalid. |
INVALID_INPUT | Occurs if the length of input_data is not a multiple of 8. |
KEY_TOO_SHORT | Occurs if the length of key is shorter than required. |
Example
DECLARE data RAW(256); key RAW(16); encrypted_data RAW(256); decrypted_data RAW(256); iv RAW(256); BEGIN data := '0102030405AE030D0102030405AE030D'; key := '0A123B8E002CD3FFA021B3E800C23DFF'; iv := '00000000000000000000000000000000'; encrypted_data := DBMS_CRYPTO.ENCRYPT( src => data, cipher_type => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5, key => key, init_vector => iv); END;
Converts data into a fixed-length hash value using a user-specified algorithm.
Details about the HASH function are as follows:
Prototype
DBMS_CRYPTO.HASH ( src IN RAW, hash_type IN PLS_INTEGER ) RETURN RAW;
Parameters
Parameter | Description |
---|---|
src | Original data. |
hash_type | Hash function to use. |
Exceptions
Exception | Description |
---|---|
INVALID_ARGUMENT | Occurs if a parameter is NULL. |
INVALID_NTH_ARGUMENT | Occurs if the specified hash_type value is invalid. |
Example
DECLARE input varchar2(100); hash_val raw(20); BEGIN input := 'DBMS_CRYPTO.HASH test'; hash_val := DBMS_CRYPTO.HASH( src => utl_raw.cast_to_raw(input), hash_type => DBMS_CRYPTO.HASH_SH1); END;
Creates a Message Authentication Code (MAC) for the specified KEY by using the specified data and algorithm.
Details about the MAC function are as follows:
Prototype
DBMS_CRYPTO.MAC ( src IN RAW, mac_type IN PLS_INTEGER, key IN RAW ) RETURN RAW;
Parameters
Parameter | Description |
---|---|
src | Source data. |
mac_type | MAC algorithm to use. The following are available algorithm constants.
hmac_md5 CONSTANT PLS_INTEGER := 1; hmac_sh1 CONSTANT PLS_INTEGER := 2; hmac_sh256 CONSTANT PLS_INTEGER := 3; hmac_sh384 CONSTANT PLS_INTEGER := 4; hmac_sh512 CONSTANT PLS_INTEGER := 5;
|
key | KEY data to use. |
Exceptions
Exception | Description |
---|---|
INVALID_ARGUMENT | Occurs if a parameter is NULL. |
INVALID_NTH_ARGUMENT | Occurs if the specified mac_type value is invalid. |
Example
SET SERVEROUTPUT ON DECLARE vKey VARCHAR2(2000); vHashed RAW(20); vText VARCHAR2(2000); BEGIN vText := 'test test 1234 !@#$ +-/*'; vKey := 'PASSCODE'; vHashed := DBMS_CRYPTO.MAC( src => UTL_I18N.STRING_TO_RAW (vText, 'MSWIN949'), mac_type => DBMS_CRYPTO.HMAC_SH1, key => UTL_I18N.STRING_TO_RAW(vKey, 'MSWIN949')); DBMS_OUTPUT.PUT_LINE(vText); DBMS_OUTPUT.PUT_LINE(vKey); DBMS_OUTPUT.PUT_LINE(vHashed); END;
Returns data with the specified size.
Details about the RANDOMBYTES function are as follows:
Prototype
DBMS_CRYPTO.RANDOMBYTES ( number_bytes IN PLS_INTEGER ) RETURN RAW;
Parameters
Parameter | Description |
---|---|
number_bytes | Size of data to return. |
Example
DECLARE l_key RAW (16); BEGIN l_key := DBMS_CRYPTO.randombytes (16); DBMS_OUTPUT.PUT_LINE(l_key); END