Solved

how to check the mode and padding used by des3

Posted on 2004-09-07
5
721 Views
Last Modified: 2008-01-09
how do you check the mode and padding used by des3 encryption in oracle 9i, this is so we can use the same values in java
0
Comment
Question by:inzaghi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 

Author Comment

by:inzaghi
ID: 11995467
In java I am encrypting with
the following

Algorithm: DESede
mode : ECB
padding: PKCS5Padding

How do I set this in oracle?
0
 
LVL 48

Accepted Solution

by:
schwertner earned 500 total points
ID: 11995539
Use DBMS_OBFUSCATION toolkit:
 
Explain the DES3Encrypt and DES3Decrypt procedures.  
 
 First, create two functions my_des3encrypt and my_des3decrypt that mimic the
DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures to show how the
CBC mode is implemented using an IV (or seed). Next, use the functions by
encrypting a long string and decrypting it with the supplied DES3Decrypt
procedure: the input string is encrypted 8 bytes at a time where the encrypted
output from each step is fed back into my_des3encrypt as the IV. The second
example works the other way round with one block of 8 bytes (up to the reader
to extend this example to a longer string).


This explains
-> the implementation of the DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and
   DES3Decrypt procedures
-> the relationship between the DESEncrypt and DESDecrypt procedures with the
   way outer cipher-block-chaining (CBC) mode is achieved.

The following example uses the 3 key variant of triple DES required by a 192 bit
key.
Oracle uses the scheme C = Ek3(Dk2(Ek1(P))) for encryption where :
-> E is a DES encryption round
-> D is a DES decryption round
-> P is the plaintext
-> C is the ciphertext

In the CBC mode of a block cipher, the plaintext block i is XORed with the
previous ciphertext block i-1 before it is encrypted. Usually, a random seed
is used for the first block that is sent along with the ciphertext.

The Oracle implementation uses a fixed seed (0123456789ABCDEF). CBC mode
enhances security because every block depends on its predecessors and thus
makes breaking of the code or tampering with it more difficult.

To enhance security even further, application developers can prefix the
plaintext with a random string of 8 characters that can be discarded on
decryption, this in effect results in using a random seed instead of the
fixed seed, it has the advantage that even plaintexts that are the same
or start the same result in ciphertexts that are completely different.

Oracle 9i Supplied PL/SQL Packages
and Types Reference, Volume 2 release 1 (9.0.1)

create or replace function my_des3encrypt(plaintext in raw, IV in RAW,
                           key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des encryption implementation: Ek3(Dk2(Ek1(P)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored      raw(128);
begin
     xored := utl_raw.bit_xor(IV,plaintext);
     dbms_obfuscation_toolkit.desencrypt(
              input => xored,
              key   => key1,
              encrypted_data => tempstore1);
     dbms_obfuscation_toolkit.desdecrypt(
              input => tempstore1,
              key   => key2,
              decrypted_data => tempstore2);
     dbms_obfuscation_toolkit.desencrypt(
              input => tempstore2,
              key   => key3,
              encrypted_data => tempstore3);
     return tempstore3;
end my_des3encrypt;
/

show err

create or replace function my_des3decrypt(ciphertext in raw, IV in raw,
                           key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des decryption implementation: Dk1(Ek2(Dk3(C)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored      raw(128);
begin
     dbms_obfuscation_toolkit.desdecrypt(
              input => ciphertext,
              key   => key3,
              decrypted_data => tempstore1);
     dbms_obfuscation_toolkit.desencrypt(
              input => tempstore1,
              key   => key2,
              encrypted_data => tempstore2);
     dbms_obfuscation_toolkit.desdecrypt(
              input => tempstore2,
              key   => key1,
              decrypted_data => tempstore3);
     xored := utl_raw.bit_xor(IV,tempstore3);
     return xored;
end my_des3decrypt;
/

show err

set serveroutput on

-- test encryption with my_des3encrypt, decryption with supplied des3decrypt
declare
  teststringin  varchar2(256);
  teststringout varchar2(256);
  testplain1 varchar2(8);
  testraw1   raw(1024);
  testmy3des1 raw(128);
  longtestraw raw(1024);
  key1      raw(128);
  key2      raw(128);
  key3      raw(128);
  des3key   raw(256);
IV        raw(128);
  l number;
begin
  teststringin := 'This is the input string for my test routine !!!';
--                 123456781234567812345678123456781234567812345678
  key1 := hextoraw('A1B890F12D543680');
  key2 := hextoraw('132FD66F5009895C');
  key3 := hextoraw('06F58436588321FF');
  IV   := hextoraw('0123456789ABCDEF');
  testplain1 := substr(teststringin,1,8);
  testraw1 := utl_raw.cast_to_raw(testplain1);
  testmy3des1 := my_des3encrypt(testraw1,IV,key1,key2,key3);
  l := length(teststringin)/8;
  longtestraw := testmy3des1;
  for i in 2..l loop
       testplain1 := substr(teststringin,i*8-7,8);
       testraw1 := utl_raw.cast_to_raw(testplain1);
--     feedback the previous encrypted block as IV for the CBC
       testmy3des1 := my_des3encrypt(testraw1,testmy3des1,key1,key2,key3);
       longtestraw := longtestraw||testmy3des1;
  end  loop;
-- concatenate the keys for the DES3Decrypt routine.
  des3key := key1||key2||key3;
  dbms_obfuscation_toolkit.DES3Decrypt(
                          input => longtestraw,
                          key => des3key,
                          decrypted_data => testraw1,
                          which => 1);
  teststringout := utl_raw.cast_to_varchar2(testraw1);
  dbms_output.put_line(teststringout);
end;
/

-- test encryption with des3encrypt, decryption with my_des3decrypt
declare
  testplain1 varchar2(8);
  testraw1   raw(128);
  testmy3des1 raw(128);
  key1      raw(128);
  key2      raw(128);
  key3      raw(128);
  des3key   raw(256);
  IV        raw(128);
begin
  testplain1 := 'OtherWay';
  testraw1 := utl_raw.cast_to_raw(testplain1);
  key1 := hextoraw('0123456789ABCDEF');
  key2 := hextoraw('FEDCBA9876543210');
  key3 := hextoraw('01020304050607CF');
  IV   := hextoraw('0123456789ABCDEF');
  des3key := key1||key2||key3;
  dbms_obfuscation_toolkit.DES3Encrypt(
                          input => testraw1,
                          key => des3key,
                          encrypted_data => testmy3des1,
                          which => 1);
  testraw1 := my_des3decrypt(testmy3des1,IV,key1,key2,key3);
  testplain1 := utl_raw.cast_to_varchar2(testraw1);
  dbms_output.put_line(testplain1);
end;
/

This is the input string for my test routine !!!

PL/SQL procedure successfully completed.

SQL>
OtherWay

PL/SQL procedure successfully completed.


0
 

Author Comment

by:inzaghi
ID: 11995623
So oracle uses CBC mode, what about the padding?
0
 
LVL 48

Assisted Solution

by:schwertner
schwertner earned 500 total points
ID: 11995773
1) Oracle supports ECB mode DES.

2) No, and neither does the random number generator provided in 9i. Weak keys are a problem that has to be handled when generating keys.

3) There are no known published vulnerabilities with the Obfuscation Engine's implementation of DES. It's straight FIPS DES.

4) Because Oracle supports ECB mode DES, padding isn't an issue.
0
 
LVL 22

Expert Comment

by:earth man2
ID: 11996657
You can use a java stored procedure in Oracle to do decryption.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows how to recover a database from a user managed backup
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question