oracle從8i開始提供一個數據加密包:dbms_obfuscation_toolkit.利用這個包,我們可以對數據進行DES,Triple DES或者MD5加密. 本文就此講解如何使用以及使用過程需要注意的問題.1. dbms_obfuscation_toolkit簡介dbms_obfuscation_toolkit主要有一下幾個存儲過程:-DESGETKEY?? -- 產生密鑰,用于DES算法DES3GETKEY??-- 產生密鑰,用于Triple DES算法DESENCRYPT??-- 用DES算法加密數據DESDECRYPT??-- 用DES算法解密數據DES3ENCRYPT -- 用Triple DES算法加密數據DES3DECRYPT -- 用DES算法解密數據MD5???????? -- 用MD5算法加密數據2. 準備數據表在開始前，我們先創建表users:drop table users;

create table users(

userid varchar2(50) primary key,

password varchar2(64),??--密碼原文

encrypted varchar2(64)??--加密后的密碼

);insert into users values ('user1','user1234',null);

insert into users values ('user2','abcd1234',null);

insert into users values ('user3','oracle12',null);

commit;3. 創建包PG_ENCRYPT_DECRYPTcreate??or replace package PG_ENCRYPT_DECRYPT is

iKey varchar2(8):='oracle9i';

function GEN_RAW_KEY??( iKey in varchar2) return raw;

function DECRYPT_3KEY_MODE(iValue in raw,iMode in pls_integer)return varchar2;

function ENCRYPT_3KEY_MODE(iValue in varchar2,iMode in pls_integer)return raw;

end;

/

create or replace package body PG_ENCRYPT_DECRYPT is

function GEN_RAW_KEY??( iKey in varchar2)

return raw

as

rawkey raw(240) := '';

begin

for i in 1..length(iKey) loop

rawkey := rawkey||hextoraw(to_char(ascii(substr(iKey, i, 1))));

end loop;

return rawkey;

end;

/*

Creating function DECRYPT_3KEY_MODE

*/

FUNCTION DECRYPT_3KEY_MODE??(

iValue in raw, iMode in pls_integer

)

return varchar2

as

vDecrypted varchar2(4000);

rawkey raw(240) := '';

begin

rawkey := GEN_RAW_KEY(iKey);

-- decrypt input string

vDecrypted := dbms_obfuscation_toolkit.des3decrypt (

UTL_RAW.CAST_TO_VARCHAR2(iValue)

, key_string => rawkey

, which => iMode

);

return vDecrypted;

end;

/*

Creating function ENCRYPT_3KEY_MODE

*/

FUNCTION ENCRYPT_3KEY_MODE??(

iValue in varchar2,??iMode in pls_integer

)

return raw

as

vEncrypted varchar2(4000);

vEncryptedRaw Raw(2048);

rawkey raw(240) := '';

begin

rawkey := GEN_RAW_KEY(iKey);

-- encrypt input string

vEncrypted := dbms_obfuscation_toolkit.des3encrypt (

iValue

, key_string => rawkey

, which => iMode

);

-- convert to raw as out

vEncryptedRaw := UTL_RAW.CAST_TO_RAW(vEncrypted);

return vEncryptedRaw;

end;

end;4. 測試在SQL Plus下輸入:SQL > update users set encrypted = PG_ENCRYPT_DECRYPT.ENCRYPT_3KEY_MODE(password,1);

SQL > commit;執行完以上SQL語句后,encrypted 存儲的就是加密后的password字段.我們看一下結果:-SQL > select * from users;

USERID PASSWORD??ENCRYPTED

------ --------- ----------------

user1??user1234??69EF3A211A0F2C32

user2??abcd1234??CF7562203F6CEDE5

user3??oracle12??65D71D7148FA001D這個加密結果是否正確? 我們對加密結果解密就知道了,在SQL Plus下輸入:SQL > select userid,password,PG_ENCRYPT_DECRYPT.DECRYPT_3KEY_MODE(encrypted,1) DECRYPTED from users;

USERID PASSWORD??DECRYPTED

------ --------- ----------

user1??user1234??user1234

user2??abcd1234??abcd1234

user3??oracle12??oracle12大家可以看到,解密結果和密碼原文完全一模一樣.這說明我們的加密解密過程是正確的.5. 進一步思考我們再看一下表users:-create table users(

userid varchar2(50) primary key,

password varchar2(64),??--密碼原文

encrypted varchar2(64)??--加密后的密碼

);還有我們插入的數據:-insert into users values ('user1','user1234',null);

insert into users values ('user2','abcd1234',null);

insert into users values ('user3','oracle12',null);以及加密輸出結果:-[/code]USERID PASSWORD??ENCRYPTED------ --------- ----------------user1??user1234??69EF3A211A0F2C32user2??abcd1234??CF7562203F6CEDE5user3??oracle12??65D71D7148FA001D[/code]不知細心的朋友注意到沒有? 在表中,password 和 encrypted 的長度都是64,都是8的倍數, 再看一下我們的密碼原文和加密后的密碼也是8的倍數,這不是巧合,而是DES算法和Triple DES算法的特征之一. 輸入長度必須是8的倍數,而輸出也是8的倍數,所以我們的字段長度也是8的倍數. 如果輸入不是8的倍數會怎樣? 大家可以把密碼原文修改一下試試.6. 密鑰的保存不管我們用什么樣的加密算法,有一點非常重要的是:??密鑰的保存.密鑰就是一把鑰匙,因為加密算法是公開的,所以你無論如何加密,只要我知道你的密鑰,我就可以解密,那么你的加密就沒有效果.在本文中, 我們的密鑰是這樣定義的:-iKey varchar2(8):='oracle9i';oracle9i就是我們的密鑰.所以,如果只是簡單地把以上程序在oracle上運行一下就使用,那么任何有權限登陸的人看到這個程序,就可以知道密鑰. 所以簡單的做法是利用Oracle提供的WRAP把整個程序加密,用加密后的文本創建程序. 這樣別人就看不到你的源代碼了.把程序保存為source.sql,在Dos命令下輸入:-Wrap iname=source.sql oname=target.sql

就可以了,然后SQL Plus運行target.sql.

當然了, 這里講的密鑰保存還是很簡單的. 并不是百分百保險. 大家可以自己

想想如何更安全地保持你的密鑰.

oracle 10g 加密包改為：DBMS_CRYPTOGeneral Information

Source{ORACLE_HOME}/rdbms/admin/dbmsobtk.sql

Algorithm ConstantsNameData TypeValue

Hash Functions

HASH_MD4 (128 bit hash)PLS_INTEGER1

HASH_MD5 (128 bit hash)PLS_INTEGER2

HASH_SH1 (160 bit hash)PLS_INTEGER3

MAC Functions

HMAC_MD5 (128 bit hash)PLS_INTEGER1

HMAC_SH1 (160 bit hash)PLS_INTEGER2

Block Cipher Algorithms

ENCRYPT_DES (56 bit)PLS_INTEGER1; -- 0x0001

ENCRYPT_3DES_2KEY (128 bit)PLS_INTEGER2; -- 0x0002

ENCRYPT_3DESPLS_INTEGER3; -- 0x0003

ENCRYPT_AES128 (128 bit)PLS_INTEGER6; -- 0x0006

ENCRYPT_AES192 (192 bit)PLS_INTEGER7; -- 0x0007

ENCRYPT_AES256 (256 bit)PLS_INTEGER8; -- 0x0008

ENCRYPT_RC4 (Stream Cipher)PLS_INTEGER129; -- 0x0081

Block Cipher Chaining Modifiers

CHAIN_CBC (Cipher Block Chaining)PLS_INTEGER256; -- 0x0100

CHAIN_CFB (Cipher Feedback)PLS_INTEGER512; -- 0x0200

CHAIN_ECB (Electronic cookbook)PLS_INTEGER768; -- 0x0300

CHAIN_OFB (Output Feedback)PLS_INTEGER1024; -- 0x0400

Block Cipher Padding Modifiers

PAD_PKCS5 (Complies with PKCS #5)PLS_INTEGER4096; -- 0x1000

PAD_NONE (No Dadding)PLS_INTEGER8192; -- 0x2000

PAD_ZERO (Pad with Zeros)PLS_INTEGER12288; -- 0x3000

Block Ciphers Suites

DES_CBC_PKCS5PLS_INTEGERENCRYPT_DES

+ CHAIN_CBC

+ PAD_PKCS5;

DES3_CBC_PKCS5PLS_INTEGERENCRYPT_3DES

+ CHAIN_CBC

+ PAD_PKCS5;

DependenciesDBMS_CRYPTO_FFIDECRYPTBYTESENCRYPTBYTES

DECRYPTENCRYPTUTL_RAW

ExceptionsError CodeReason

28827The specified cipher suite is not defined

28829No value has been specified for the cipher suite to be used

28233Source data was previously encrypted

28234DES: Specified key size too short. DES keys must be at least 8 bytes (64 bits).

AES: Specified key size is not supported. AES keys must be 128, 192, or 256 bits

28239The encryption key has not been specified or contains a NULL value

DECRYPT

Decrypt crypt text data using stream or block cipher with user supplied key and optional iv

Overload 1dbms_crypto.decrypt(src IN RAW, typ IN PLS_INTEGER, key IN RAW,

iv? IN RAW DEFAULT NULL) RETURN RAW;

See Encrypt Overload 1 demo

Overload 2dbms_crypto.decrypt(dst IN OUT NOCOPY BLOB, src IN BLOB,

typ IN PLS_INTEGER, key IN RAW, iv? IN RAW DEFAULT NULL);

Overload 3dbms_crypto.decrypt (dst IN OUT NOCOPY CLOB CHARACTER SET ANY_CS,

src IN BLOB, typ IN PLS_INTEGER, key IN RAW,

iv? IN RAW DEFAULT NULL);

ENCRYPT

Encrypt plain text data using stream or block cipher with user supplied key and optional iv

Overload 1dbms_crypto.encrypt(src IN RAW, typ IN PLS_INTEGER, key IN RAW,

iv IN RAW DEFAULT NULL) RETURN RAW;

set serveroutput on

DECLARE

l_credit_card_no VARCHAR2(19) := '1234-5678-9012-3456';

l_ccn_raw RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);

l_key???? RAW(128) := utl_raw.cast_to_raw('abcdefgh');

l_encrypted_raw RAW(2048);

l_decrypted_raw RAW(2048);

BEGIN

dbms_output.put_line('Original : ' || l_credit_card_no);

l_encrypted_raw :=?dbms_crypto.encrypt(l_ccn_raw,

dbms_crypto.des_cbc_pkcs5, l_key);

dbms_output.put_line('Encrypted : ' ||

RAWTOHEX(utl_raw.cast_to_raw(l_encrypted_raw)));

l_decrypted_raw :=?dbms_crypto.decrypt(src => l_encrypted_raw,

typ => dbms_crypto.des_cbc_pkcs5, key => l_key);

dbms_output.put_line('Decrypted : ' ||

utl_raw.cast_to_varchar2(l_decrypted_raw));

END;

/

set serveroutput on

DECLARE

enc_val?? RAW(2000);

l_key???? RAW(2000);

l_key_len NUMBER := 128/8;?-- convert bits to bytes

l_mod???? NUMBER :=?dbms_crypto.ENCRYPT_AES128

+?dbms_crypto.CHAIN_CBC+?dbms_crypto.PAD_PKCS5;

BEGIN

l_key :=?dbms_crypto.randombytes(l_key_len);

enc_val :=?dbms_crypto.encrypt(

utl_i18n.string_to_raw('1234-5678-9012-3456', 'AL32UTF8'),

l_mod, l_key);

dbms_output.put_line(enc_val);

END;

/

Overload 2dbms_crypto.encrypt(dst IN OUT NOCOPY BLOB, src IN BLOB,

typ IN PLS_INTEGER, key IN RAW, iv? IN RAW DEFAULT NULL);

Overload 3dbms_crypto.encrypt(dst IN OUT NOCOPY BLOB,

src IN CLOB CHARACTER SET ANY_CS, typ IN PLS_INTEGER, key IN RAW, iv? IN RAW DEFAULT NULL);

dbms_crypto.encrypt(UTL_RAW.CAST_TO_RAW(CONVERT('XXX','AL32UTF8')),typ,key);

HASH

Hash source data by cryptographic hash type

Overload 1dbms_crypto.hash(src IN RAW, typ IN PLS_INTEGER) RETURN RAW;

Overload 2dbms_crypto.hash(src IN BLOB, typ IN PLS_INTEGER) RETURN RAW;

Overload 3dbms_crypto.hash(src IN CLOB CHARACTER SET ANY_CS,

typ IN PLS_INTEGER) RETURN RAW;

MAC

Message Authentication Code algorithms provide keyed message protection

Overload 1dbms_crypto.mac(src IN RAW, typ IN PLS_INTEGER, key IN RAW)

RETURN RAW;

Overload 2dbms_crypto.mac(src IN BLOB, typ IN PLS_INTEGER, key IN RAW)

RETURN RAW;

Overload 3dbms_crypto.mac(src IN CLOB CHARACTER SET ANY_CS,

typ IN PLS_INTEGER, key IN RAW) RETURN RAW;

RANDOMBYTES

Returns a raw value containing a pseudo-random sequence of bytesdbms_crypto.randomnytes(number_bytes PLS_INTEGER) RETURN RAW;

SELECT?dbms_crypto.randombytes(1) FROM dual;

SELECT LENGTH(dbms_crypto.randombytes(1)) FROM dual;

SELECT dbms_crypto.randombytes(28) FROM dual;

SELECT LENGTH(dbms_crypto.randombytes(28)) FROM dual;

SELECT dbms_crypto.randombytes(64) FROM dual;

SELECT LENGTH(dbms_crypto.randombytes(64)) FROM dual;

RANDOMINTEGER

Returns a random BINARY_INTEGERdbms_crypto.randominteger RETURN NUMBER;

SELECT?dbms_crypto.randominteger?FROM dual;

RANDOMNUMBER

Returns a random Oracle Numberdbms_crypto.randomnumber RETURN NUMBER;

SELECT?dbms_crypto.randomnumber?FROM dual;

總結

以上是生活随笔為你收集整理的oracle dbms_crypto,Oracle的dbms_obfuscation_toolkit加密解密数据的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。