Tuesday, September 12, 2017

Simple Oracle Plsql Package for password encryption and decryption



Simple Oracle Plsql Package for password encryption and decryption


Introduction:

The script provided demonstrates how to create a simple password encryption and decryption package in Oracle using the DBMS_OBFUSCATION_TOOLKIT. Below is a step-by-step breakdown of each part of the code:


1. Setting Up the Environment:

Before running the package, it is recommended to connect to the database as SYSDBA and run the script ?/rdbms/admin/catobtk.sql. This script installs the DBMS_OBFUSCATION_TOOLKIT package necessary for encryption and decryption functionalities.

2. Creating the Table USERS_INFO:

The table USERS_INFO is created to store usernames and encrypted passwords.



CREATE TABLE USERS_INFO
(
  USERNAME VARCHAR2(20 BYTE),
  PASS VARCHAR2(20 BYTE)
);


3. Creating the Package Specification PASSWORD:

The package specification defines two functions: encrypt and decrypt. These functions will handle the encryption and decryption of passwords.


CREATE OR REPLACE PACKAGE PASSWORD AS
   function encrypt(i_password varchar2) return varchar2;
   function decrypt(i_password varchar2) return varchar2;
END PASSWORD;
/
show errors

4. Creating the Package Body PASSWORD:

The package body implements the actual logic for the encrypt and decrypt functions using Oracle's DBMS_OBFUSCATION_TOOLKIT.

Key Points:

  • The encryption key (c_encrypt_key) must be exactly 8 bytes long.
  • Input data for encryption must have a length divisible by eight, achieved using RPAD to pad the input string.

CREATE OR REPLACE PACKAGE BODY PASSWORD AS

  -- Key for encryption and decryption
  c_encrypt_key VARCHAR2(8) := 'key45678';

  -- Encrypt function
  FUNCTION encrypt (i_password VARCHAR2) RETURN VARCHAR2 IS
    v_encrypted_val VARCHAR2(38);
    v_data          VARCHAR2(38);
  BEGIN
     -- Pad the input data to a length divisible by eight
     v_data := RPAD(i_password, (TRUNC(LENGTH(i_password)/8) + 1) * 8, CHR(0));

     -- Encrypt the data
     DBMS_OBFUSCATION_TOOLKIT.DESENCRYPT(
        input_string     => v_data,
        key_string       => c_encrypt_key,
        encrypted_string => v_encrypted_val);
     RETURN v_encrypted_val;
  END encrypt;

  -- Decrypt function
  FUNCTION decrypt (i_password VARCHAR2) RETURN VARCHAR2 IS
    v_decrypted_val VARCHAR2(38);
  BEGIN
     -- Decrypt the data
     DBMS_OBFUSCATION_TOOLKIT.DESDECRYPT(
        input_string     => i_password,
        key_string       => c_encrypt_key,
        decrypted_string => v_decrypted_val);
     RETURN v_decrypted_val;
  END decrypt;

END PASSWORD;
/
SHOW ERRORS;


5. Testing the Encryption and Decryption:

The following SQL statements test the encryption and decryption functions:


select password.encrypt('PASSWORD1') from dual;
select password.decrypt(app_password.encrypt('PASSWORD1')) from dual;
select password.encrypt('PSW2') from dual;
select password.decrypt(app_password.encrypt('PSW2')) from dual;

6. Inserting and Retrieving Encrypted Data:

The script demonstrates inserting an encrypted password into the USERS_INFO table and then retrieving and decrypting it.

--- Insert encrypted Password ---

insert into USERS_INFO values ('redddy',( select password.encrypt('REDDY1') from dual) );
select password.decrypt((pass)) from USERS_INFO where USERNAME='redddy';



Important Notes:

  • Security Considerations: The DBMS_OBFUSCATION_TOOLKIT uses DES encryption, which is considered outdated and insecure by modern standards. It’s recommended to use DBMS_CRYPTO for more robust encryption methods, such as AES.
  • Error Handling: The script should include error handling to manage issues that may arise during encryption or decryption processes.
  • Testing and Validation: Always test encryption and decryption thoroughly, especially when dealing with sensitive data like passwords, to ensure the correct implementation.

This setup demonstrates basic encryption and decryption using Oracle's built-in toolkit, providing a foundation for enhancing database security.