Solved

how to check the mode and padding used by des3

Posted on 2004-09-07
5
692 Views
Last Modified: 2008-01-09
how do you check the mode and padding used by des3 encryption in oracle 9i, this is so we can use the same values in java
0
Comment
Question by:inzaghi
  • 2
  • 2
5 Comments
 

Author Comment

by:inzaghi
ID: 11995467
In java I am encrypting with
the following

Algorithm: DESede
mode : ECB
padding: PKCS5Padding

How do I set this in oracle?
0
 
LVL 47

Accepted Solution

by:
schwertner earned 500 total points
ID: 11995539
Use DBMS_OBFUSCATION toolkit:
 
Explain the DES3Encrypt and DES3Decrypt procedures.  
 
 First, create two functions my_des3encrypt and my_des3decrypt that mimic the
DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures to show how the
CBC mode is implemented using an IV (or seed). Next, use the functions by
encrypting a long string and decrypting it with the supplied DES3Decrypt
procedure: the input string is encrypted 8 bytes at a time where the encrypted
output from each step is fed back into my_des3encrypt as the IV. The second
example works the other way round with one block of 8 bytes (up to the reader
to extend this example to a longer string).


This explains
-> the implementation of the DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and
   DES3Decrypt procedures
-> the relationship between the DESEncrypt and DESDecrypt procedures with the
   way outer cipher-block-chaining (CBC) mode is achieved.

The following example uses the 3 key variant of triple DES required by a 192 bit
key.
Oracle uses the scheme C = Ek3(Dk2(Ek1(P))) for encryption where :
-> E is a DES encryption round
-> D is a DES decryption round
-> P is the plaintext
-> C is the ciphertext

In the CBC mode of a block cipher, the plaintext block i is XORed with the
previous ciphertext block i-1 before it is encrypted. Usually, a random seed
is used for the first block that is sent along with the ciphertext.

The Oracle implementation uses a fixed seed (0123456789ABCDEF). CBC mode
enhances security because every block depends on its predecessors and thus
makes breaking of the code or tampering with it more difficult.

To enhance security even further, application developers can prefix the
plaintext with a random string of 8 characters that can be discarded on
decryption, this in effect results in using a random seed instead of the
fixed seed, it has the advantage that even plaintexts that are the same
or start the same result in ciphertexts that are completely different.

Oracle 9i Supplied PL/SQL Packages
and Types Reference, Volume 2 release 1 (9.0.1)

create or replace function my_des3encrypt(plaintext in raw, IV in RAW,
                           key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des encryption implementation: Ek3(Dk2(Ek1(P)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored      raw(128);
begin
     xored := utl_raw.bit_xor(IV,plaintext);
     dbms_obfuscation_toolkit.desencrypt(
              input => xored,
              key   => key1,
              encrypted_data => tempstore1);
     dbms_obfuscation_toolkit.desdecrypt(
              input => tempstore1,
              key   => key2,
              decrypted_data => tempstore2);
     dbms_obfuscation_toolkit.desencrypt(
              input => tempstore2,
              key   => key3,
              encrypted_data => tempstore3);
     return tempstore3;
end my_des3encrypt;
/

show err

create or replace function my_des3decrypt(ciphertext in raw, IV in raw,
                           key1 in raw, key2 in raw ,key3 in raw)
return raw as
-- 3 key 3des decryption implementation: Dk1(Ek2(Dk3(C)))
tempstore1 raw(128);
tempstore2 raw(128);
tempstore3 raw(128);
xored      raw(128);
begin
     dbms_obfuscation_toolkit.desdecrypt(
              input => ciphertext,
              key   => key3,
              decrypted_data => tempstore1);
     dbms_obfuscation_toolkit.desencrypt(
              input => tempstore1,
              key   => key2,
              encrypted_data => tempstore2);
     dbms_obfuscation_toolkit.desdecrypt(
              input => tempstore2,
              key   => key1,
              decrypted_data => tempstore3);
     xored := utl_raw.bit_xor(IV,tempstore3);
     return xored;
end my_des3decrypt;
/

show err

set serveroutput on

-- test encryption with my_des3encrypt, decryption with supplied des3decrypt
declare
  teststringin  varchar2(256);
  teststringout varchar2(256);
  testplain1 varchar2(8);
  testraw1   raw(1024);
  testmy3des1 raw(128);
  longtestraw raw(1024);
  key1      raw(128);
  key2      raw(128);
  key3      raw(128);
  des3key   raw(256);
IV        raw(128);
  l number;
begin
  teststringin := 'This is the input string for my test routine !!!';
--                 123456781234567812345678123456781234567812345678
  key1 := hextoraw('A1B890F12D543680');
  key2 := hextoraw('132FD66F5009895C');
  key3 := hextoraw('06F58436588321FF');
  IV   := hextoraw('0123456789ABCDEF');
  testplain1 := substr(teststringin,1,8);
  testraw1 := utl_raw.cast_to_raw(testplain1);
  testmy3des1 := my_des3encrypt(testraw1,IV,key1,key2,key3);
  l := length(teststringin)/8;
  longtestraw := testmy3des1;
  for i in 2..l loop
       testplain1 := substr(teststringin,i*8-7,8);
       testraw1 := utl_raw.cast_to_raw(testplain1);
--     feedback the previous encrypted block as IV for the CBC
       testmy3des1 := my_des3encrypt(testraw1,testmy3des1,key1,key2,key3);
       longtestraw := longtestraw||testmy3des1;
  end  loop;
-- concatenate the keys for the DES3Decrypt routine.
  des3key := key1||key2||key3;
  dbms_obfuscation_toolkit.DES3Decrypt(
                          input => longtestraw,
                          key => des3key,
                          decrypted_data => testraw1,
                          which => 1);
  teststringout := utl_raw.cast_to_varchar2(testraw1);
  dbms_output.put_line(teststringout);
end;
/

-- test encryption with des3encrypt, decryption with my_des3decrypt
declare
  testplain1 varchar2(8);
  testraw1   raw(128);
  testmy3des1 raw(128);
  key1      raw(128);
  key2      raw(128);
  key3      raw(128);
  des3key   raw(256);
  IV        raw(128);
begin
  testplain1 := 'OtherWay';
  testraw1 := utl_raw.cast_to_raw(testplain1);
  key1 := hextoraw('0123456789ABCDEF');
  key2 := hextoraw('FEDCBA9876543210');
  key3 := hextoraw('01020304050607CF');
  IV   := hextoraw('0123456789ABCDEF');
  des3key := key1||key2||key3;
  dbms_obfuscation_toolkit.DES3Encrypt(
                          input => testraw1,
                          key => des3key,
                          encrypted_data => testmy3des1,
                          which => 1);
  testraw1 := my_des3decrypt(testmy3des1,IV,key1,key2,key3);
  testplain1 := utl_raw.cast_to_varchar2(testraw1);
  dbms_output.put_line(testplain1);
end;
/

This is the input string for my test routine !!!

PL/SQL procedure successfully completed.

SQL>
OtherWay

PL/SQL procedure successfully completed.


0
 

Author Comment

by:inzaghi
ID: 11995623
So oracle uses CBC mode, what about the padding?
0
 
LVL 47

Assisted Solution

by:schwertner
schwertner earned 500 total points
ID: 11995773
1) Oracle supports ECB mode DES.

2) No, and neither does the random number generator provided in 9i. Weak keys are a problem that has to be handled when generating keys.

3) There are no known published vulnerabilities with the Obfuscation Engine's implementation of DES. It's straight FIPS DES.

4) Because Oracle supports ECB mode DES, padding isn't an issue.
0
 
LVL 22

Expert Comment

by:earth man2
ID: 11996657
You can use a java stored procedure in Oracle to do decryption.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This article started out as an Experts-Exchange question, which then grew into a quick tip to go along with an IOUG presentation for the Collaborate confernce and then later grew again into a full blown article with expanded functionality and legacy…
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
This video shows how to recover a database from a user managed backup

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now