Encrypt (& decrypt) a number column in Oracle - oracle

How to do for encrypting a number
column in Oracle 11 (and also be able to decrypt them back) so that the same column stores crypted numbers along with (unencrypted ones (based on a boolean saved elsewhere)?
I actually did a function like this that takes a number to produce a crypted number and it worked fine in Oracle 10 but now it doesn't work anymore in ORACLE 11:
function crypt (key varchar2, n number) return number
raw_input RAW(128);
encrypted_raw RAW(2048);
raw_key_ RAW(128) := UTL_RAW.CAST_TO_RAW(CONVERT(key,'AL32UTF8','US7ASCII'));
begin
raw_input_ := UTL_RAW.cast_from_number (n);
encrypted_raw := dbms_crypto.Encrypt(src => raw_input_, typ =>DBMS_CRYPTO.DES3_CBC_PKCS5, KEY=>raw_key_);
return UTL_RAW.cast_to_number(encrypted_raw);
end;
it throws this error with no explanations:
ORA-06502: PL/SQL: numeric or value error
ORA-06512: at "SYS.UTL_RAW", line 388
...
Thank you

Looks like you're trying to cast the encrypted raw to a number. If I understand what you want this function to do, it seems you want to test that the input number = returned number (that you can encrypt and decrypt successfully). If you wanted to just encrypt, you would return a raw, not a number.
Anyway, you should be casting the decrypted raw value to a number to test that the input number = returned number. Something like:
create or replace function test_crypt(k varchar2, n number)
return number as
raw_input_ RAW(128);
encrypted_raw RAW(2000);
decrypted_raw RAW (2000);
raw_key_ RAW(128) := UTL_RAW.CAST_TO_RAW(k);
begin
raw_input_ := UTL_RAW.cast_from_number (n);
encrypted_raw := dbms_crypto.Encrypt(src => raw_input_, typ =>DBMS_CRYPTO.DES3_CBC_PKCS5, KEY=>raw_key_);
--return UTL_RAW.cast_to_number(encrypted_raw);
-- use dbms_crypto to decrypt and return (hopefully same) number
decrypted_raw := DBMS_CRYPTO.DECRYPT
(
src => encrypted_raw,
typ => DBMS_CRYPTO.DES3_CBC_PKCS5,
key => raw_key_
);
return UTL_RAW.cast_to_number(decrypted_raw);
end;
On my system anyway, the input number = returned number (key is from dbms_crypto.randombytes(32) ). For example:
select test_crypt('50610FB89D98C7D906CB0A9917413221E4FE6FA62A9604302EE2C8F63E6BAD91', 234.21) from dual;
Output:
234.21

Related

Oracle , Encryption or obfuscation function with output size limit

Is there any encryption or obfuscation Oracle Function (standard or third party) that can limit the output size?
I need to obfuscate a column smaller than 20 char by limiting the output to 20 char .
I'm using the following function that generates an output of 32 Characters , the constraint comes from a System external to mine , I couldn't negotiate a larger size of the output (their input).
create or replace function md5 (valor varchar) return varchar2 is
v_input varchar2(2000) := valor;
hexkey varchar2(32) := null;
begin
hexkey := rawtohex(dbms_obfuscation_toolkit.md5(input => utl_raw.cast_to_raw(v_input)));
return nvl(hexkey,'');
end;
I need something like obfuscate a USA Social Service in a 20 char length output.
I need also some security because us applied to private medical information.

Cannot Decrypt Varchar2 password using DBMS_CRYPTO.DECRYPT

what i need
i need to decrypt password store in database.
I tried sql
https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/d_crypto.htm#i1001225
sql
DECLARE
input_string VARCHAR2 (200) := 'Secret Message';
encrypted_answer_raw RAW(2000);
output_string VARCHAR2 (200);
encrypted_raw RAW (2000); -- stores encrypted binary text
decrypted_raw RAW (2000); -- stores decrypted binary text
num_key_bytes NUMBER := 256/8; -- key length 256 bits (32 bytes)
key_bytes_raw RAW (32); -- stores 256-bit encryption key
encryption_type PLS_INTEGER := -- total encryption type
DBMS_CRYPTO.ENCRYPT_AES256
+ DBMS_CRYPTO.CHAIN_CBC
+ DBMS_CRYPTO.PAD_PKCS5;
BEGIN
DBMS_OUTPUT.PUT_LINE ( 'Original string: ' || input_string);
key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
encrypted_raw := DBMS_CRYPTO.ENCRYPT
(
src => UTL_I18N.STRING_TO_RAW (input_string, 'AL32UTF8'),
typ => encryption_type,
key => key_bytes_raw
);
-- The encrypted value "encrypted_raw" can be used here
debug_msg('encrypted_raw'||encrypted_raw);
Decryption code
Code Works
decrypted_raw := DBMS_CRYPTO.DECRYPT
(
src => encrypted_raw,
typ => encryption_type,
key => key_bytes_raw
);
output_string := UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
Code Doesn't works
encrypted_answer_raw:=utl_raw.cast_to_raw('989628CCF16292A73FEB63D4694C8129');
decrypted_raw := DBMS_CRYPTO.DECRYPT
(
src => encrypted_answer_raw,
typ => encryption_type,
key => key_bytes_raw
);
output_string := UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
DBMS_OUTPUT.PUT_LINE ('Decrypted string: ' || output_string);
END;
Error
Error report -
ORA-28817: PL/SQL function returned an error.
ORA-06512: at "SYS.DBMS_CRYPTO_FFI", line 67
ORA-06512: at "SYS.DBMS_CRYPTO", line 44
ORA-06512: at line 25
28817. 00000 - "PL/SQL function returned an error."
*Cause: A PL/SQL function returned an error unexpectedly.
*Action: This is an internal error. Enable tracing to find more
information. Contact Oracle customer support if needed.
*Document: NO
989628CCF16292A73FEB63D4694C8129 is database enrypted password stored in db.
any help is most welcome.
I suspect that instead of doing
encrypted_answer_raw := utl_raw.cast_to_raw('989628CCF16292A73FEB63D4694C8129');
you may want to do
encrypted_answer_raw := hextoraw('989628CCF16292A73FEB63D4694C8129');
I believe the problem is that the password is not really 989628CCF16292A73FEB63D4694C8129, but rather –(Ěńb’§?ëcÔiL) (displayed in win1250 codepage), despite your Oracle client software showing raw columns as hexa strings.
As a sidenote...
All those comments under your question, stating that you should store+compare password hashes instead of encrypting+decrypting them, are valid.

numeric or value error: raw variable length too long ORA-06512: at "SYS.UTL_RAW"

I am facing raw variable length too long issue when select the BLOB(Stored JSON string) filed value from the table.
Query:
select utl_raw.cast_to_varchar2(dbms_lob.substr(TRANSACTION_DATA)) from PS_ISA_INB_PAYLOAD_LOG;
This is my SP i have used to insert the JSON object into BLOB Field:
create or replace PROCEDURE SDIX_TICK_LOG
(
ORGANIZATIONNAME IN VARCHAR2
, TRANSACTION_TYPE IN VARCHAR2
, TRANSACTION_DATA IN BLOB
, TRANSACTION_STATUS IN VARCHAR2
) AS
l_r RAW(32767);
l_blob blob;
l_clob clob :='"ItemMasterTransfer":[{"ORACLE_UNIQUE_REC_ID":"123assd4434","CUSTOMER_ID":"PMC","ORGANIZATION_CODE":"BMftrdsM","ITEM":"696738","INVENTORY_ITEM_ID":"0000000000000000000000000000546","ORGANIZATION_ID":" ","SUBINVENTORY_CODE":"000000000000000000","LOCATOR_ID":" ","ISA_MATERIAL_GROUP":" ","TAX_GROUP":" ","CATEGORY_ID":"1956","NOUN":" ","MODIFIER":" ","MANUFACTURER_ID":" ","MFG_ITEM_ID":" ","UNIT_OF_MEASURE":"BOX","ITEM_TYPE":"P","STOCK_ENABLED_FLAG":"Y","INVENTORY_ITEM_STATUS_CODE":"A","LIST_PRICE_PER_UNIT":"0","FULL_LEAD_TIME":"0","MAX_MINMAX_QUANTITY":"10","MIN_MINMAX_QUANTITY":"10","SAFETY_LEVEL":"0","REPLENISH_TO_ORDER_FLAG":"N","UTILIZ_CD":"","CURRENCY_CD":"USD","DESCRIPTION":"","ATTRIBUTE1":" ","ATTRIBUTE2":" ","ATTRIBUTE3":" ","ATTRIBUTE4":" ","ATTRIBUTE5":" ","ATTRIBUTE6":" ","ATTRIBUTE7":" ","ATTRIBUTE8":" ","ATTRIBUTE9":" ","ATTRIBUTE10":" ","TRANSACTION_STATUS":" ","TRANS_STATUS_DESCRIPTION":" "},{"ORACLE_UNIQUE_REC_ID":"123assd4434","CUSTOMER_ID":"PMC","ORGANIZATION_CODE":"BMftrdsM","ITEM":"696738","INVENTORY_ITEM_ID":"0000000000000000000000000000546","ORGANIZATION_ID":" ","SUBINVENTORY_CODE":"000000000000000000","LOCATOR_ID":" ","ISA_MATERIAL_GROUP":" ","TAX_GROUP":" ","CATEGORY_ID":"1956","NOUN":" ","MODIFIER":" ","MANUFACTURER_ID":" ","MFG_ITEM_ID":" ","UNIT_OF_MEASURE":"BOX","ITEM_TYPE":"P","STOCK_ENABLED_FLAG":"Y","INVENTORY_ITEM_STATUS_CODE":"A","LIST_PRICE_PER_UNIT":"0","FULL_LEAD_TIME":"0","MAX_MINMAX_QUANTITY":"10","MIN_MINMAX_QUANTITY":"10","SAFETY_LEVEL":"0","REPLENISH_TO_ORDER_FLAG":"N","UTILIZ_CD":"","CURRENCY_CD":"USD","DESCRIPTION":"","ATTRIBUTE1":" ","ATTRIBUTE2":" ","ATTRIBUTE3":" ","ATTRIBUTE4":" ","ATTRIBUTE5":" ","ATTRIBUTE6":" ","ATTRIBUTE7":" ","ATTRIBUTE8":" ","ATTRIBUTE9":" ","ATTRIBUTE10":" ","TRANSACTION_STATUS":" ","TRANS_STATUS_DESCRIPTION":" "},{"ORACLE_UNIQUE_REC_ID":"123assd4434","CUSTOMER_ID":"PMC","ORGANIZATION_CODE":"BMftrdsM","ITEM":"696738","INVENTORY_ITEM_ID":"0000000000000000000000000000546","ORGANIZATION_ID":" ","SUBINVENTORY_CODE":"000000000000000000","LOCATOR_ID":" ","ISA_MATERIAL_GROUP":" ","TAX_GROUP":" ","CATEGORY_ID":"1956","NOUN":" ","MODIFIER":" ","MANUFACTURER_ID":" ","MFG_ITEM_ID":" ","UNIT_OF_MEASURE":"BOX","ITEM_TYPE":"P","STOCK_ENABLED_FLAG":"Y","INVENTORY_ITEM_STATUS_CODE":"A","LIST_PRICE_PER_UNIT":"0","FULL_LEAD_TIME":"0","MAX_MINMAX_QUANTITY":"10","MIN_MINMAX_QUANTITY":"10","SAFETY_LEVEL":"0","REPLENISH_TO_ORDER_FLAG":"N","UTILIZ_CD":"","CURRENCY_CD":"USD","DESCRIPTION":"","ATTRIBUTE1":" ","ATTRIBUTE2":" ","ATTRIBUTE3":" ","ATTRIBUTE4":" ","ATTRIBUTE5":" ","ATTRIBUTE6":" ","ATTRIBUTE7":" ","ATTRIBUTE8":" ","ATTRIBUTE9":" ","ATTRIBUTE10":" ","TRANSACTION_STATUS":" ","TRANS_STATUS_DESCRIPTION":" "}],"Organization":"PMC Biogenix","SharedSecret":"sTc1QowIu5Iy1Qt8iilnmQ==","TimeStamp":"09/28/2018 00:19:21","RowsSent":"1"}';
l_amt integer := dbms_lob.lobmaxsize;
l_dest_offset integer := 1;
l_src_offset integer := 1;
l_csid integer := dbms_lob.default_csid;
l_ctx integer := dbms_lob.default_lang_ctx;
l_warn integer;
BEGIN
dbms_lob.createTemporary( l_blob, false );
dbms_lob.convertToBlob( l_blob,
l_clob,
l_amt,
l_dest_offset,
l_src_offset,
l_csid,
l_ctx,
l_warn );
INSERT INTO PS_ISA_INB_PAYLOAD_LOG Values(ORGANIZATIONNAME,TRANSACTION_TYPE,l_blob,SYSDATE,TRANSACTION_STATUS);
END SDIX_TICK_LOG;
Your problem lies here: DBMS_LOB.SUBSTR()
DBMS_LOB is using VARCHAR2 internally, and VARCHAR2 has limit of 2000 chars. Your blob has the size of 2829 chars, therefore it is too long to be processed by DBMS_LOB.SUBSTR() at once.
You can test this by these commands:
Take only first 2000 chars from BLOB:
select utl_raw.cast_to_varchar2(dbms_lob.substr(TRANSACTION_DATA), 2000, 1) from PS_ISA_INB_PAYLOAD_LOG;
OK.
Take 2001 chars from BLOB:
select utl_raw.cast_to_varchar2(dbms_lob.substr(TRANSACTION_DATA, 2001, 1)) from PS_ISA_INB_PAYLOAD_LOG;
Error report -
SQL Error:
ORA-06502: PL/SQL: numeric or value error: raw variable length too long
ORA-06512: at line 1
06502.00000 - "PL/SQL: numeric or value error%s"
Is that possible to select entire BLOB Field value?
Basically, no. You'll need a PL/SQL function similar to the one you've already described, except this time, it will go BLOB-to-CLOB. You can call that from SQL, if it returns a CLOB or a VARCHAR2(4000).
As a side note, I question why you're taking JSON, which is character data, and storing it as a BLOB, then wanting to get character data back. Why not just store it as a CLOB in the first place?

Oracle update BLOB column with encrypted value set NULL value when blob is more than 3000-4000 char

In a Oracle 11g database I have a table with a blob column in which I want to put encrypted datas.
I have this function in my database :
create or replace FUNCTION encryptmyBLOB(content IN BLOB, key in VARCHAR2)
RETURN BLOB AS
CRYPTED BLOB;
encryption_type PLS_INTEGER :=
SYS.DBMS_CRYPTO.ENCRYPT_AES128
+ SYS.DBMS_CRYPTO.CHAIN_CBC
+ SYS.DBMS_CRYPTO.PAD_PKCS5;
BEGIN
dbms_lob.createtemporary(CRYPTED,true);
SYS.DBMS_CRYPTO.ENCRYPT(
dst => CRYPTED,
src => content,
typ => encryption_type,
key => SYS.DBMS_CRYPTO.Hash (UTL_I18N.STRING_TO_RAW (key, 'WE8ISO8859P15'), SYS.DBMS_CRYPTO.HASH_MD5),
iv => utl_raw.cast_to_raw('/myIV'));
return CRYPTED;
end if;
END;
and my application send query with params like this :
UPDATE mytable SET myColumn=encryptmyBLOB(:SERIAL,:ENCRYPT_KEY) WHERE ...
This works well when the SERIAL param contain less than approximately 4000 bytes but when SERIAL contain more data I get a database error.
ORA-01461: can bind a LONG value only for insert into a LONG column
I don't understand what I am doing wrong. I suspect that my application Oracle driver send a LONG value in my SERIAL param instead of a BLOB value but I can't confirm it and the UPDATE is correctly done if I bypass my function.
Can anyone point me in the right direction?
Many thanks.
The error is pretty clear: You column is not a BLOB-column.
You should change the datatype to BLOB, because LONG/LONG RAW is deprecated:
https://docs.oracle.com/cd/B28359_01/server.111/b28318/datatype.htm#CNCPT613
If you can't change the type of the column, you could check the size of your BLOB 'content' within you function:
DECLARE
myBlob BLOB;
mySize NUMBER;
BEGIN
myBlob := utl_raw.cast_to_raw('1234567890');
mySize := dbms_lob.getlength(myBlob);
dbms_output.put_line('Size: ' || mySize);
myBlob := utl_raw.cast_to_raw('12345678901234567890');
mySize := dbms_lob.getlength(myBlob);
dbms_output.put_line('Size: ' || mySize);
END;

Oracle RawToHex function - what happens if return value exceeds varchar2 limit?

The RawToHex function in Oracle 11g returns a hexadecimal representation of any raw value.
This function returns the Hex Value as a varchar2.
What happens if I pass a BLOB into the RawToHex() function that will result in a hex representation that exceeds the varchar2 limit of 4000?
Is there any way to convert very big BLOBs into a Hex representation?
UPDATE:
I did some investigation and found an answer for the first part of my question.
I can pass a BLOB into the RawToHex function and this one will execute successfully as long as you won't hit the boundaries of the Raw DataType. Oracle seems to convert from BLOB to Raw implicitly.
DECLARE
a varchar2(32767);
b blob;
BEGIN
select blob_column into b from a_table where a_table_id = 1;
dbms_output.put_line(dbms_lob.getlength(b)); --> output: 216
dbms_output.put_line(rawtohex(empty_blob())); --> converted blob
select blob_column into b from a_table where a_table_id = 2;
dbms_output.put_line(dbms_lob.getlength(b)); --> output: 140000
dbms_output.put_line(rawtohex(empty_blob())); --> ORA-06502: PL/SQL: numeric or value error
END;
Description of this error according to ora-code.com
ORA-06502: PL/SQL: numeric or value error string
Cause: An arithmetic, numeric, string, conversion, or constraint error occurred. For example, this error occurs if an attempt is made to assign the value NULL to a variable declared NOT NULL, or if an attempt is made to assign an integer larger than 99 to a variable declared NUMBER(2).
Action: Change the data, how it is manipulated, or how it is declared so that values do not violate constraints.
UPDATE 2:
I've got a solution for this issue. Splitting the blob into smaller blocks and converting them step by step. It delivers the correct result. Is this a correct approach or could this solution fall over at some point?
function BlobToHex(data in blob) return clob
is
v_clob clob;
v_start pls_integer := 1;
v_buffer pls_integer := 4000;
begin
if data is null
then
return '""';
end if;
dbms_lob.createtemporary(v_clob, true);
dbms_lob.append(v_clob, '0x');
for i in 1..ceil(dbms_lob.getlength(data) / v_buffer)
loop
dbms_lob.append(v_clob, rawtohex(DBMS_LOB.SUBSTR(data, v_buffer, v_start)));
v_start := v_start + v_buffer;
end loop;
return v_clob;
end;
You'll get ORA-00932
SQL> select rawtohex(empty_blob()) from dual;
select rawtohex(empty_blob()) from dual
*
ERROR at line 1:
ORA-00932: inconsistent datatypes: expected - got BLOB
SQL>
because
As a SQL built-in function, RAWTOHEX accepts an argument of any scalar data type other than LONG, LONG RAW, CLOB, BLOB, or BFILE.
As stated by the documentation.

Resources