• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2071
  • Last Modified:

How can I apply RC4 encryption to a string?

Within PL/SQL, I'll be creating some web content and streaming that to the browser. However, I want to implement a single sign on between my PL/SQL application and a 3rd party app. To do so, I'd like to encrypt the userID and key using RC4 encryption, and pass those in the query string. Within the 3rd party app (classic asp), I'll decrypt those variables and automate the login.

How do I use the SYS.dbms_crypto_toolkit to encrypt a string? Or is this even possible?
We are using Oracle 9i.
Code snippets welcome!
0
L00M
Asked:
L00M
  • 7
  • 5
1 Solution
 
sdstuberCommented:
the crypto toolkit is only in 10g and up.  in 9i you still have the obfuscation toolkit which doesn't have rc4
0
 
L00MAuthor Commented:
I'm looking at the package in TOAD, in 9i:

SYS.dbms_crypto_toolkit

It's available. I just can't find any sample code.
If it was incomplete or unusable in 9i. What are my alternatives? I found some dead links to a third parth package.... but that's it.

Thanks
0
 
sdstuberCommented:
hmmm, I couldn't find any reference to it in the 9i pl/sql reference.

go to the 10g docs and you can find information about the package.
Never used it in 9i though.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
L00MAuthor Commented:
@sdstuber:
I've found evidence that the crypto package has been available since 8.1.6, but I think it was broken after initial release:

New features in Oracle 8i (8.1.6)
PL/SQL Server Pages (PSP's)
Oracle DBA Studio Introduced
New SQL analytic Functions (rank, moving average)
Alter table xxx storage (freelists) command supported
Java XML parser
PL/SQL dbms_crypto_toolkit encryption package

Perhaps it is still broken in 9i.

@schwertner, looking at that link you sent, I see the following in code:

DBMS_OBFUSCATION_TOOLKIT.desencrypt

At first glance, it seems that's using DES encryption. Due to constraints of the project, I have to use RC4.
0
 
sdstuberCommented:
yes, sorry, as I first indicated,  10g is the first "real" version of the package.   Not sure why it would have showed up in a new features of 8i.   It was probably included for use in the add-on option  Advanced Security which is for network traffic.

It wasn't in the supplied pl/sql documentation until 10g.
Prior to that, the best you've got is the obfuscation toolkit which doesn't have rc4.    Sorry to give the bad news again.

Is upgrading to 10g a possibility?  Oracle's support for 9i is running out.  Can you get to 10g soon?

If not, you can implement it yourself.
The JCE has rc4 code in it.  Using that you could have java stored procedure do your rc4 encryption/decryption.
I'm sure you could find other implementations as well.
0
 
L00MAuthor Commented:
We are in the process of upgrading to 10g, but that's out of my hands. Our DBA is in charge of that. I'm just a code jockey. ;)

I'm not terribly familiar with Oracle... just getting started. Can you show me an example of a java stored procedure? Or how to implement that?
0
 
L00MAuthor Commented:
I've opened a new question concerning this matter here:

http://www.experts-exchange.com/Security/Encryption/Q_22985396.html

Thanks for your help here!
0
 
sdstuberCommented:
basically to use java in oracle you take your java class as you would write it anywhere else and stick "CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED   xxxxx AS"  in front of it.

xxxxx equals the class you're exposing

then you declare a pl/sql procedure or function to wrap around the java code.  This is referred to as "publishing" the java


Here's a simple example....


CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SimpleMath" AS
public class SimpleMath {
   public static int add(int a, int b) {
        return a+b;
    }
}
/

CREATE OR REPLACE FUNCTION addition(a NUMBER, b NUMBER)
    RETURN NUMBER
AS
    LANGUAGE JAVA
    NAME 'SimpleMath.add(int, int) return int';
/

select addition(5,7) from dual;
0
 
L00MAuthor Commented:
That's a great start!
Thanks!
0
 
L00MAuthor Commented:
I've been searching, but can't find any examples of using java to create the RC4 SPROC.
Nor do I have the JCE installed. Any chance you could provide the code for that? I'll gladly open another question for you.
0
 
sdstuberCommented:
Without the jce I don't know,  actually, even with the jce, I really don't know.   Sorry,  you've exhausted my expertise.  Maybe there is some other code in java or some other language that implements the rc4 algorithm and you could copy it.  I saw your new question, and if I knew more I'd help there, but I don't know.  sorry
0
 
L00MAuthor Commented:
No worries!
Thanks for getting me on the right track.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now