DBMS_CRYPTO

DBMS_CRYPTO provides an interface to encrypt and decrypt stored data, and can be used in conjunction with PL/SQL programs running network communications. It provides support for several industry-standard encryption and hashing algorithms, including the Advanced Encryption Standard (AES) encryption algorithm. AES has been approved by the National Institute of Standards and Technology (NIST) to replace the Data Encryption Standard (DES).

See Also:

Oracle Database Security Guide for further information about using this package and about encrypting data in general.

This chapter contains the following topics:

• Using the DBMS_CRYPTO Subprograms
  
  
  • Overview
  • Security Model
  • Types
  • Algorithms
  • Restrictions
  • Exceptions
  • Operational Notes
    
    
• Summary of DBMS_CRYPTO Subprograms
  
  

---

Using the DBMS_CRYPTO Subprograms

• Overview
• Security Model
• Types
• Algorithms
• Restrictions
• Exceptions
• Operational Notes
  
  

---

Overview

DBMS_CRYPTO contains basic cryptographic functions and procedures. To use this package correctly and securely, a general level of security expertise is assumed.

The DBMS_CRYPTO package enables encryption and decryption for common Oracle datatypes, including RAW and large objects (LOBs), such as images and sound. Specifically, it supports BLOBs and CLOBs. In addition, it provides Globalization Support for encrypting data across different database character sets.

The following cryptographic algorithms are supported:

• Data Encryption Standard (DES), Triple DES (3DES, 2-key and 3-key)
• Advanced Encryption Standard (AES)
• MD5, MD4, and SHA-1 cryptographic hashes
• MD5 and SHA-1 Message Authentication Code (MAC)
  
  

Block cipher modifiers are also provided with DBMS_CRYPTO. You can choose from several padding options, including PKCS (Public Key Cryptographic Standard) #5, and from four block cipher chaining modes, including Cipher Block Chaining (CBC).

Table 39-1 lists the DBMS_CRYPTO package features in comparison to the other PL/SQL encryption package, the DBMS_OBFUSCATION_TOOLKIT.

Table 39-1 DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT Feature Comparison

Package Feature

DBMS_CRYPTO

DBMS_OBFUSCATION_TOOLKIT

Cryptographic algorithms

DES, 3DES, AES, RC4, 3DES_2KEY

DES, 3DES

Padding forms

PKCS5, zeroes

none supported

Block cipher chaining modes

CBC, CFB, ECB, OFB

CBC

Cryptographic hash algorithms

MD5, SHA-1, MD4

MD5

Keyed hash (MAC) algorithms

HMAC_MD5, HMAC_SH1

none supported

Cryptographic pseudo-random number generator

RAW, NUMBER, BINARY_INTEGER

RAW, VARCHAR2

Database types

RAW, CLOB, BLOB

RAW, VARCHAR2

--抛砖引玉-小例
DECLARE
  x1 VARCHAR2(24);
  b  RAW(64);
  x2 VARCHAR2(24);
  k  RAW(8);
BEGIN
  x1:=&x1;
  k:=dbms_crypto.RandomBytes(8);
  b:=dbms_crypto.Encrypt(utl_raw.cast_to_raw(x1),dbms_crypto.DES_CBC_PKCS5,k);
  x2:=utl_raw.cast_to_varchar2(dbms_crypto.Decrypt(b,dbms_crypto.DES_CBC_PKCS5,k));
  dbMS_OUTPUT.PUT_LINE('输入值：'||x1||chr(10)||'密钥：'
  ||k||CHR(10)||'加密后：'||b||CHR(10)||'解密后：'||x2);
END;