Encrypted password column
56 views
Skip to first unread message
Mohammed Mostafa
Jul 8, 2012, 1:03:12 AM7/8/12
to oracle_db...@googlegroups.com
Dear Experts,
I have one application connecting to oracle database and reading the passwords from USERS tables which contains 2 columns (Username and password) , the developer needs to encrypt the password column in the database , can u help me please
database version is 10g
Thank you in advance
Mohammed
Agustin Utrera
Jul 8, 2012, 4:12:02 PM7/8/12
to oracle_db...@googlegroups.com, oracle_db...@googlegroups.com
Dbms_crypto or dbms_obfuscation_toolkit
--
You received this message because you are subscribed to the Google Groups "ORACLE_DBA_EXPERTS" group.
To post to this group, send email to oracle_db...@googlegroups.com.
To unsubscribe from this group, send email to oracle_dba_expe...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oracle_dba_experts?hl=en.
Mohammed Mostafa
Jul 9, 2012, 1:57:14 AM7/9/12
to oracle_db...@googlegroups.com
Thank you , can u please send me one simple example how to use it
my table is users
TABLE tests.users
Name Null? Type
----------------------------------------- -------- ----------------------------
USERNAME VARCHAR2(100)
PASSWORD VARCHAR2(100)
I need teh passwords in password table to be blank or encrypted when any one browse teh table from Toad or SQL Plus
Thank you in advance
Bhaskar Sarma
Jul 8, 2012, 9:05:36 AM7/8/12
to oracle_db...@googlegroups.com
Hi ,
Password stored in USERS Table is not clear text. Its an encrypted
format of password. Why do you like to encrypt the same value again ?
Bhaskar.
Bhaskar Sarma
Password stored in USERS Table is not clear text. Its an encrypted
format of password. Why do you like to encrypt the same value again ?
Bhaskar.
> --
> You received this message because you are subscribed to the Google Groups
> "ORACLE_DBA_EXPERTS" group.
> To post to this group, send email to oracle_db...@googlegroups.com.
> To unsubscribe from this group, send email to
> oracle_dba_expe...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/oracle_dba_experts?hl=en.
--
Thank You
> You received this message because you are subscribed to the Google Groups
> "ORACLE_DBA_EXPERTS" group.
> To post to this group, send email to oracle_db...@googlegroups.com.
> To unsubscribe from this group, send email to
> oracle_dba_expe...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/oracle_dba_experts?hl=en.
--
Bhaskar Sarma
ddf
Jul 9, 2012, 10:33:25 AM7/9/12
to ORACLE_DBA_EXPERTS
>
> - Show quoted text -
No, it isn't. There is no USERS table by default in Oracle, it's
DBA_USERS and the password is hashed to make it unreadable. This is
for an application table not connected to the data dictionary.
Here is an example of using the dbms_crypto package to encrypt and
decrypt a password:
SQL> CREATE OR REPLACE PACKAGE p_encrypt AS
2
3 FUNCTION encrypt_pwd( p_pwd IN VARCHAR2 ) RETURN RAW;
4
5 FUNCTION decrypt_pwd( p_pwd IN RAW ) RETURN VARCHAR2;
6
7 END p_encrypt;
8 /
Package created.
SQL>
SQL> show errors
No errors.
SQL>
SQL> CREATE OR REPLACE PACKAGE BODY p_encrypt AS
2 --DO NOT FORGET TO WRAP THIS BEFORE LOADING INTO DATABASE
3 --IF IT IS NOT WRAPPED, THE KEY WILL BE EXPOSED
4 --THE WRAP UTILITY IS LOCATED IN THE \BIN DIRECTORY (WRAP.EXE)
5
6 G_CHARACTER_SET VARCHAR2(10) := 'AL32UTF8';
7 G_STRING VARCHAR2(32) :=
'12345678901234567890123456789012';
8 G_KEY RAW(250) := utl_i18n.string_to_raw
9 ( data => G_STRING,
10 dst_charset => G_CHARACTER_SET );
11 G_ENCRYPTION_TYPE PLS_INTEGER :=
dbms_crypto.encrypt_aes256
12 + dbms_crypto.chain_cbc
13 + dbms_crypto.pad_pkcs5;
14
15 FUNCTION encrypt_pwd( p_pwd IN VARCHAR2 ) RETURN RAW IS
16 l_pwd RAW(32) := UTL_I18N.STRING_TO_RAW( p_pwd,
G_CHARACTER_SET );
17 l_encrypted RAW(32);
18 BEGIN
19 l_pwd := utl_i18n.string_to_raw
20 ( data => p_pwd,
21 dst_charset => G_CHARACTER_SET );
22 l_encrypted := dbms_crypto.encrypt
23 ( src => l_pwd,
24 typ => G_ENCRYPTION_TYPE,
25 key => G_KEY );
26 RETURN l_encrypted;
27 END encrypt_pwd;
28
29 FUNCTION decrypt_pwd( p_pwd IN RAW ) RETURN VARCHAR2 IS
30 l_decrypted RAW(32);
31 l_decrypted_string VARCHAR2(32);
32 BEGIN
33 l_decrypted := dbms_crypto.decrypt
34 ( src => p_pwd,
35 typ => G_ENCRYPTION_TYPE,
36 key => G_KEY );
37 l_decrypted_string := utl_i18n.raw_to_char
38 ( data => l_decrypted,
39 src_charset => G_CHARACTER_SET );
40 RETURN l_decrypted_string;
41 END decrypt_pwd;
42
43 END p_encrypt;
44 /
Package body created.
SQL>
SQL> show errors
No errors.
SQL>
SQL> create table users(
2 username varchar2(100),
3 password varchar2(100));
Table created.
SQL>
SQL> insert into users
2 select 'norbert', p_encrypt.encrypt_pwd('norbert') from dual;
1 row created.
SQL>
SQL> select * from users;
USERNAME
--------------------------------------------------------------------------------
PASSWORD
--------------------------------------------------------------------------------
norbert
1A77BE272647A5CDEA3A26E05C07108C
SQL>
SQL> select username, p_encrypt.decrypt_pwd(password) from users;
USERNAME
--------------------------------------------------------------------------------
P_ENCRYPT.DECRYPT_PWD(PASSWORD)
--------------------------------------------------------------------------------
norbert
norbert
SQL>
Notice the password is encrypted; this could be put into a trigger on
the USERS table so the encryption would be transparent to the user:
SQL> create or replace trigger encrypt_pw_trg
2 before insert or update of password on users
3 for each row
4 begin
5 :new.password := p_encrypt.encrypt_pwd(:new.password);
6 end;
7 /
Trigger created.
SQL>
SQL> insert into users
2 values('plinko','plinko');
1 row created.
SQL>
SQL> select * from users;
USERNAME
--------------------------------------------------------------------------------
PASSWORD
--------------------------------------------------------------------------------
norbert
1A77BE272647A5CDEA3A26E05C07108C
plinko
2EA3BBB6B2277E7B9DC2ED98F2C01E45
SQL>
SQL> select username, p_encrypt.decrypt_pwd(password) from users;
USERNAME
--------------------------------------------------------------------------------
P_ENCRYPT.DECRYPT_PWD(PASSWORD)
--------------------------------------------------------------------------------
norbert
norbert
plinko
plinko
SQL>
David Fitzjarrell
Bhaskar Sarma
Jul 9, 2012, 1:24:46 PM7/9/12
to oracle_db...@googlegroups.com
My bad I have mistaken USERS to USER$ table and David Example looks
perfect to encrypt the password.
Bhaskar
perfect to encrypt the password.
Bhaskar
ddf
Jul 9, 2012, 4:25:36 PM7/9/12
to ORACLE_DBA_EXPERTS
> > PASSWORD
> > --------------------------------------------------------------------------------
> > norbert
> > 1A77BE272647A5CDEA3A26E05C07108C
>
> > SQL>
> > SQL> select username, p_encrypt.decrypt_pwd(password) from users;
>
> > USERNAME
> > --------------------------------------------------------------------------------
> > 1A77BE272647A5CDEA3A26E05C07108C
>
> > SQL>
> > SQL> select username, p_encrypt.decrypt_pwd(password) from users;
>
> > USERNAME
> > P_ENCRYPT.DECRYPT_PWD(PASSWORD)
> > --------------------------------------------------------------------------------
> > norbert
> > norbert
>
> > SQL>
>
> > Notice the password is encrypted; this could be put into a trigger on
> > the USERS table so the encryption would be transparent to the user:
>
> > SQL> create or replace trigger encrypt_pw_trg
> > 2 before insert or update of password on users
> > 3 for each row
> > 4 begin
> > 5 :new.password := p_encrypt.encrypt_pwd(:new.password);
> > 6 end;
> > 7 /
>
> > Trigger created.
>
> > SQL>
> > SQL> insert into users
> > 2 values('plinko','plinko');
>
> > 1 row created.
>
> > SQL>
> > SQL> select * from users;
>
> > USERNAME
> > --------------------------------------------------------------------------------
> > norbert
>
> > SQL>
>
> > Notice the password is encrypted; this could be put into a trigger on
> > the USERS table so the encryption would be transparent to the user:
>
> > SQL> create or replace trigger encrypt_pw_trg
> > 2 before insert or update of password on users
> > 3 for each row
> > 4 begin
> > 5 :new.password := p_encrypt.encrypt_pwd(:new.password);
> > 6 end;
> > 7 /
>
> > Trigger created.
>
> > SQL>
> > SQL> insert into users
> > 2 values('plinko','plinko');
>
> > 1 row created.
>
> > SQL>
> > SQL> select * from users;
>
> > USERNAME
> > PASSWORD
> > --------------------------------------------------------------------------------
> > norbert
> > 1A77BE272647A5CDEA3A26E05C07108C
>
> > plinko
> > 2EA3BBB6B2277E7B9DC2ED98F2C01E45
>
> > SQL>
> > SQL> select username, p_encrypt.decrypt_pwd(password) from users;
>
> > USERNAME
> > --------------------------------------------------------------------------------
> > 1A77BE272647A5CDEA3A26E05C07108C
>
> > plinko
> > 2EA3BBB6B2277E7B9DC2ED98F2C01E45
>
> > SQL>
> > SQL> select username, p_encrypt.decrypt_pwd(password) from users;
>
> > USERNAME
> > P_ENCRYPT.DECRYPT_PWD(PASSWORD)
> > --------------------------------------------------------------------------------
> > norbert
> > norbert
>
> > plinko
> > plinko
>
> > SQL>
>
> > David Fitzjarrell
>
> > --
> > You received this message because you are subscribed to the Google Groups "ORACLE_DBA_EXPERTS" group.
> > To post to this group, send email to oracle_db...@googlegroups.com.
> > To unsubscribe from this group, send email to oracle_dba_expe...@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/oracle_dba_experts?hl=en.
> > norbert
>
> > plinko
> > plinko
>
> > SQL>
>
> > David Fitzjarrell
>
> > --
> > You received this message because you are subscribed to the Google Groups "ORACLE_DBA_EXPERTS" group.
> > To post to this group, send email to oracle_db...@googlegroups.com.
> > To unsubscribe from this group, send email to oracle_dba_expe...@googlegroups.com.
>
> --
> Thank You
> Bhaskar Sarma- Hide quoted text -
>
> - Show quoted text -
To ensure the key is not visible the package body code needs to be run
> --
> Thank You
> Bhaskar Sarma- Hide quoted text -
>
> - Show quoted text -
through the wrap utility so it could look like this:
CREATE OR REPLACE PACKAGE BODY p_encrypt wrapped
a000000
b2
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
b
47e 24c
pdNlOAEZIyeQSBkE0lxXpA6V5/Qwg5Dx19xqfC9GvoOuLcToUeWDiafmwxTGf6gnuGIFY/
z6
W9uUXOOZIK7fqjLvmS+8FJviFzyaVH
+8Ab6p9Zyk7l0ZGQ8kvNxP3XSV6cDGT3XJaJ7NX0ul
FSFI27PP30D4sl9UvuP+M1IA8ksxVEyF5GgN4xPiQjRTk+JIsb8DpQ/
HI9VKDjGoGJzwzhmn
4nVkQ6D3Mp/
B5WVs85FHZbR6Z8FXazbKgmFBb8HY9pyM0PYoqL4ixbqKGgOAbGeN1JQlGHER
oEclF4b8SlWgeTJZdTC+URqjsR+yjT
+opK5CDuhUi3enEwHmKYaHwPVG3MykwueOPw7IAGIE
1m
+fZGzmphZ0bAFV1lmj8TgUO7QUMMHCmAN9jdPsGDTIjrgNGySlM6l4Io7nOpCfsD9hKB3i
sl+LFl7fkkbD7iHC1t1LQLsa4u4ohy2Vi5NsZwJHz48/y1jnQ6l3+OeSaYN2g
+8ihKp40psH
iXLTHct5r8EO+a/7q0nn10OwukymjJWtlsKBSmsjKvpP4bnuKC63e
+HQMpT7uU250fo9eF2i
ysw=
/
The extension is changed from .sql (for example) to .plb but you can
still execute it with @ syntax from the SQL> prompt;
SQL> @encrypt_pw_ex_2.plb
Package body created.
SQL>
and now no one can see the internal key for encryption/decryption. A
short tutorial on wrap can be found here:
http://oratips-ddf.blogspot.com/2008/06/thats-wrap.html
David Fitzjarrell
Mohammed Mostafa
Jul 11, 2012, 4:41:19 AM7/11/12
to oracle_db...@googlegroups.com
Dear
David,
Thank you so much, your plan is excellent.
Appreciated!
Mohammed
Reply all
Reply to author
Forward
0 new messages