Solved

how to check the mode and padding used by des3

Posted on 2004-09-07
5
699 Views
Last Modified: 2008-01-09
how do you check the mode and padding used by des3 encryption in oracle 9i, this is so we can use the same values in java
0
Comment
Question by:inzaghi
  • 2
  • 2
5 Comments
 

Author Comment

by:inzaghi
ID: 11995467
In java I am encrypting with
the following

Algorithm: DESede
mode : ECB
padding: PKCS5Padding

How do I set this in oracle?
0
 
LVL 47

Accepted Solution

by:
schwertner earned 500 total points
ID: 11995539
Use DBMS_OBFUSCATION toolkit:
 
Explain the DES3Encrypt and DES3Decrypt procedures.  
 
 First, create two functions my_des3encrypt and my_des3decrypt that mimic the
DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures to show how the
CBC mode is implemented using an IV (or seed). Next, use the functions by
encrypting a long string and decrypting it with the supplied DES3Decrypt
procedure: the input string is encrypted 8 bytes at a time where the encrypted
output from each step is fed back into my_des3encrypt as the IV. The second
example works the other way round with one block of 8 bytes (up to the reader
to extend this example to a longer string).


This explains
-> the implementation of the DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and
   DES3Decrypt procedures
-> the relationship between the DESEncrypt and DESDecrypt procedures with the
   way outer cipher-block-chaining (CBC) mode is achieved.

The following example uses the 3 key variant of triple DES required by a 192 bit
key.
Oracle uses the scheme C = Ek3(Dk2(Ek1(P))) for encryption where :
-> E is a DES encryption round
-> D is a DES decryption round
-> P is the plaintext
-> C is the ciphertext

In the CBC mode of a block cipher, the plaintext block i is XORed with the
previous ciphertext block i-1 before it is encrypted. Usually, a random seed
is used for the first block that is sent along with the ciphertext.

The Oracle implementation uses a fixed seed (0123456789ABCDEF). CBC mode
enhances security because every block depends on its predecessors and thus
makes breaking of the code or tampering with it more difficult.

To enhance security even further, application developers can prefix the
plaintext with a random string of 8 characters that can be discarded on
decryption, this in effect results in using a random seed instead of the
fixed seed, it has the advantage that even plaintexts that are the same
or start the same result in ciphertexts that are completely different.

Oracle 9i Supplied PL/SQL Packages
and Types Reference, Volume 2 release 1 (9.0.1)

create or replace function my_des3encrypt(plaintext in raw, IV in RAW,
                           key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des encryption implementation: Ek3(Dk2(Ek1(P)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored      raw(128);
begin
     xored := utl_raw.bit_xor(IV,plaintext);
     dbms_obfuscation_toolkit.desencrypt(
              input => xored,
              key   => key1,
              encrypted_data => tempstore1);
     dbms_obfuscation_toolkit.desdecrypt(
              input => tempstore1,
              key   => key2,
              decrypted_data => tempstore2);
     dbms_obfuscation_toolkit.desencrypt(
              input => tempstore2,
              key   => key3,
              encrypted_data => tempstore3);
     return tempstore3;
end my_des3encrypt;
/

show err

create or replace function my_des3decrypt(ciphertext in raw, IV in raw,
                           key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des decryption implementation: Dk1(Ek2(Dk3(C)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored      raw(128);
begin
     dbms_obfuscation_toolkit.desdecrypt(
              input => ciphertext,
              key   => key3,
              decrypted_data => tempstore1);
     dbms_obfuscation_toolkit.desencrypt(
              input => tempstore1,
              key   => key2,
              encrypted_data => tempstore2);
     dbms_obfuscation_toolkit.desdecrypt(
              input => tempstore2,
              key   => key1,
              decrypted_data => tempstore3);
     xored := utl_raw.bit_xor(IV,tempstore3);
     return xored;
end my_des3decrypt;
/

show err

set serveroutput on

-- test encryption with my_des3encrypt, decryption with supplied des3decrypt
declare
  teststringin  varchar2(256);
  teststringout varchar2(256);
  testplain1 varchar2(8);
  testraw1   raw(1024);
  testmy3des1 raw(128);
  longtestraw raw(1024);
  key1      raw(128);
  key2      raw(128);
  key3      raw(128);
  des3key   raw(256);
IV        raw(128);
  l number;
begin
  teststringin := 'This is the input string for my test routine !!!';
--                 123456781234567812345678123456781234567812345678
  key1 := hextoraw('A1B890F12D543680');
  key2 := hextoraw('132FD66F5009895C');
  key3 := hextoraw('06F58436588321FF');
  IV   := hextoraw('0123456789ABCDEF');
  testplain1 := substr(teststringin,1,8);
  testraw1 := utl_raw.cast_to_raw(testplain1);
  testmy3des1 := my_des3encrypt(testraw1,IV,key1,key2,key3);
  l := length(teststringin)/8;
  longtestraw := testmy3des1;
  for i in 2..l loop
       testplain1 := substr(teststringin,i*8-7,8);
       testraw1 := utl_raw.cast_to_raw(testplain1);
--     feedback the previous encrypted block as IV for the CBC
       testmy3des1 := my_des3encrypt(testraw1,testmy3des1,key1,key2,key3);
       longtestraw := longtestraw||testmy3des1;
  end  loop;
-- concatenate the keys for the DES3Decrypt routine.
  des3key := key1||key2||key3;
  dbms_obfuscation_toolkit.DES3Decrypt(
                          input => longtestraw,
                          key => des3key,
                          decrypted_data => testraw1,
                          which => 1);
  teststringout := utl_raw.cast_to_varchar2(testraw1);
  dbms_output.put_line(teststringout);
end;
/

-- test encryption with des3encrypt, decryption with my_des3decrypt
declare
  testplain1 varchar2(8);
  testraw1   raw(128);
  testmy3des1 raw(128);
  key1      raw(128);
  key2      raw(128);
  key3      raw(128);
  des3key   raw(256);
  IV        raw(128);
begin
  testplain1 := 'OtherWay';
  testraw1 := utl_raw.cast_to_raw(testplain1);
  key1 := hextoraw('0123456789ABCDEF');
  key2 := hextoraw('FEDCBA9876543210');
  key3 := hextoraw('01020304050607CF');
  IV   := hextoraw('0123456789ABCDEF');
  des3key := key1||key2||key3;
  dbms_obfuscation_toolkit.DES3Encrypt(
                          input => testraw1,
                          key => des3key,
                          encrypted_data => testmy3des1,
                          which => 1);
  testraw1 := my_des3decrypt(testmy3des1,IV,key1,key2,key3);
  testplain1 := utl_raw.cast_to_varchar2(testraw1);
  dbms_output.put_line(testplain1);
end;
/

This is the input string for my test routine !!!

PL/SQL procedure successfully completed.

SQL>
OtherWay

PL/SQL procedure successfully completed.


0
 

Author Comment

by:inzaghi
ID: 11995623
So oracle uses CBC mode, what about the padding?
0
 
LVL 47

Assisted Solution

by:schwertner
schwertner earned 500 total points
ID: 11995773
1) Oracle supports ECB mode DES.

2) No, and neither does the random number generator provided in 9i. Weak keys are a problem that has to be handled when generating keys.

3) There are no known published vulnerabilities with the Obfuscation Engine's implementation of DES. It's straight FIPS DES.

4) Because Oracle supports ECB mode DES, padding isn't an issue.
0
 
LVL 22

Expert Comment

by:earth man2
ID: 11996657
You can use a java stored procedure in Oracle to do decryption.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Subquery in Oracle: Sub queries are one of advance queries in oracle. Types of advance queries: •      Sub Queries •      Hierarchical Queries •      Set Operators Sub queries are know as the query called from another query or another subquery. It can …
Cursors in Oracle: A cursor is used to process individual rows returned by database system for a query. In oracle every SQL statement executed by the oracle server has a private area. This area contains information about the SQL statement and the…
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now