Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Becoming another user"] [Next entry: "Daily, weekly, monthly checklists"]

A nice simple DBMS_OBFUSCATION_TOOLKIT example by Nimzo Benoni



I saw a simple example of the use of the DBMS_OBFUSCATION_TOOLKIT on Haris Ali's blog today. The entry is titled http://www.cheblogs.com/roller/page/nimzobenoni/20050110#dbms_obfuscation_toolkit - (broken link) DBMS_OBFUSCATION_TOOLKIT and gives a very simple encrypt and decrypt PL/SQL procedure examples. He even shows how to ensure that the data being encrypted is aligned to an 8 byte boundary. The two procedures do not allude to the perennial problem of encryption and decryption - which is how to hide the key so that it is not available to users or hackers. In these examples the key is simply hard coded in the examples.

Haris's example shows use of the procedures without output. I think he could have made the example a little more useful by showing it actually working.

10g improves the encryption and decryption possibilities in the database by providing the DBMS_CRYPTO package that supports more algorithms including AES and also manages the padding better. This new package will replace DBMS_OBFUSCATION_TOOLKIT. There are commercial alternatives as well as free ones to the Oracle provided packages. Details of which can be found on my tools page. Haris's example is worth looking at if you are contemplating use of this package as it shows a simple example.