Solved

How can I apply RC4 encryption to a string?

Posted on 2007-11-21
13
2,001 Views
Last Modified: 2013-12-19
Within PL/SQL, I'll be creating some web content and streaming that to the browser. However, I want to implement a single sign on between my PL/SQL application and a 3rd party app. To do so, I'd like to encrypt the userID and key using RC4 encryption, and pass those in the query string. Within the 3rd party app (classic asp), I'll decrypt those variables and automate the login.

How do I use the SYS.dbms_crypto_toolkit to encrypt a string? Or is this even possible?
We are using Oracle 9i.
Code snippets welcome!
0
Comment
Question by:L00M
  • 7
  • 5
13 Comments
 
LVL 73

Expert Comment

by:sdstuber
ID: 20329120
the crypto toolkit is only in 10g and up.  in 9i you still have the obfuscation toolkit which doesn't have rc4
0
 
LVL 11

Author Comment

by:L00M
ID: 20329171
I'm looking at the package in TOAD, in 9i:

SYS.dbms_crypto_toolkit

It's available. I just can't find any sample code.
If it was incomplete or unusable in 9i. What are my alternatives? I found some dead links to a third parth package.... but that's it.

Thanks
0
 
LVL 73

Expert Comment

by:sdstuber
ID: 20329372
hmmm, I couldn't find any reference to it in the 9i pl/sql reference.

go to the 10g docs and you can find information about the package.
Never used it in 9i though.
0
 
LVL 47

Expert Comment

by:schwertner
ID: 20334681
0
 
LVL 11

Author Comment

by:L00M
ID: 20349671
@sdstuber:
I've found evidence that the crypto package has been available since 8.1.6, but I think it was broken after initial release:

New features in Oracle 8i (8.1.6)
PL/SQL Server Pages (PSP's)
Oracle DBA Studio Introduced
New SQL analytic Functions (rank, moving average)
Alter table xxx storage (freelists) command supported
Java XML parser
PL/SQL dbms_crypto_toolkit encryption package

Perhaps it is still broken in 9i.

@schwertner, looking at that link you sent, I see the following in code:

DBMS_OBFUSCATION_TOOLKIT.desencrypt

At first glance, it seems that's using DES encryption. Due to constraints of the project, I have to use RC4.
0
 
LVL 73

Accepted Solution

by:
sdstuber earned 500 total points
ID: 20349926
yes, sorry, as I first indicated,  10g is the first "real" version of the package.   Not sure why it would have showed up in a new features of 8i.   It was probably included for use in the add-on option  Advanced Security which is for network traffic.

It wasn't in the supplied pl/sql documentation until 10g.
Prior to that, the best you've got is the obfuscation toolkit which doesn't have rc4.    Sorry to give the bad news again.

Is upgrading to 10g a possibility?  Oracle's support for 9i is running out.  Can you get to 10g soon?

If not, you can implement it yourself.
The JCE has rc4 code in it.  Using that you could have java stored procedure do your rc4 encryption/decryption.
I'm sure you could find other implementations as well.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Author Comment

by:L00M
ID: 20359007
We are in the process of upgrading to 10g, but that's out of my hands. Our DBA is in charge of that. I'm just a code jockey. ;)

I'm not terribly familiar with Oracle... just getting started. Can you show me an example of a java stored procedure? Or how to implement that?
0
 
LVL 11

Author Comment

by:L00M
ID: 20359697
I've opened a new question concerning this matter here:

http://www.experts-exchange.com/Security/Encryption/Q_22985396.html

Thanks for your help here!
0
 
LVL 73

Expert Comment

by:sdstuber
ID: 20359718
basically to use java in oracle you take your java class as you would write it anywhere else and stick "CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED   xxxxx AS"  in front of it.

xxxxx equals the class you're exposing

then you declare a pl/sql procedure or function to wrap around the java code.  This is referred to as "publishing" the java


Here's a simple example....


CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SimpleMath" AS
public class SimpleMath {
   public static int add(int a, int b) {
        return a+b;
    }
}
/

CREATE OR REPLACE FUNCTION addition(a NUMBER, b NUMBER)
    RETURN NUMBER
AS
    LANGUAGE JAVA
    NAME 'SimpleMath.add(int, int) return int';
/

select addition(5,7) from dual;
0
 
LVL 11

Author Comment

by:L00M
ID: 20359890
That's a great start!
Thanks!
0
 
LVL 11

Author Comment

by:L00M
ID: 20367769
I've been searching, but can't find any examples of using java to create the RC4 SPROC.
Nor do I have the JCE installed. Any chance you could provide the code for that? I'll gladly open another question for you.
0
 
LVL 73

Expert Comment

by:sdstuber
ID: 20367890
Without the jce I don't know,  actually, even with the jce, I really don't know.   Sorry,  you've exhausted my expertise.  Maybe there is some other code in java or some other language that implements the rc4 algorithm and you could copy it.  I saw your new question, and if I knew more I'd help there, but I don't know.  sorry
0
 
LVL 11

Author Comment

by:L00M
ID: 20368156
No worries!
Thanks for getting me on the right track.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Working with Network Access Control Lists in Oracle 11g (part 2) Part 1: http://www.e-e.com/A_8429.html Previously, I introduced the basics of network ACL's including how to create, delete and modify entries to allow and deny access.  For many…
Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows how to copy a database user from one database to another user DBMS_METADATA.  It also shows how to copy a user's permissions and discusses password hash differences between Oracle 10g and 11g.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now