Solved

TRIGGER for CRYPTING the PASSWORD field when INSERTING or UPDATING a new record.

Posted on 2008-10-07
5
351 Views
Last Modified: 2013-12-18
Good evening!

Please suppose you have a table called CREDENTIALS, with two fields: USERNAME VARCHAR2(30), and PASSWORD VARCHAR2(30).

Of course I can insert new credentials when I wish to allow a new user to use our system:

INSERT INTO CREDENTIALS VALUES ('SCOTT', 'TIGER');
COMMIT;

But the password, 'TIGER', is not encrypted, so other users - as well as DBAs - can see the password simply SELECTing the CREDENTIALS table...!!  For me it is a security problem.

I would like to write a TRIGGER that, on every insert or update in the PASSWORD field, automatically encrypts the field PASSWORD.

Can you help me?
0
Comment
Question by:CRISTIANO_CORRADI
  • 3
  • 2
5 Comments
 

Author Comment

by:CRISTIANO_CORRADI
Comment Utility
Please assume I am obliged to use these functions for crypting / encrypting:

   FUNCTION encrypt (p_text IN VARCHAR2)
      RETURN RAW
   IS
      v_text        VARCHAR2 (32767) := p_text;
      v_encrypted   RAW (32767);
   BEGIN
      padstring (v_text);
      DBMS_OBFUSCATION_TOOLKIT.desencrypt
                                       (input               => UTL_RAW.cast_to_raw
                                                                       (v_text),
                                        KEY                 => g_key,
                                        encrypted_data      => v_encrypted
                                       );
      RETURN v_encrypted;
   END;


   FUNCTION decrypt (p_raw IN RAW)
      RETURN VARCHAR2
   IS
      v_decrypted   VARCHAR2 (32767);
   BEGIN
      DBMS_OBFUSCATION_TOOLKIT.desdecrypt (input               => p_raw,
                                           KEY                 => g_key,
                                           decrypted_data      => v_decrypted
                                          );
      RETURN RTRIM (UTL_RAW.cast_to_varchar2 (v_decrypted), g_pad_chr);
   END;
0
 

Author Comment

by:CRISTIANO_CORRADI
Comment Utility

   FUNCTION encrypt (p_text IN VARCHAR2)

      RETURN RAW

   IS

      v_text        VARCHAR2 (32767) := p_text;

      v_encrypted   RAW (32767);

   BEGIN

      padstring (v_text);

      DBMS_OBFUSCATION_TOOLKIT.desencrypt

                                       (input               => UTL_RAW.cast_to_raw

                                                                       (v_text),

                                        KEY                 => g_key,

                                        encrypted_data      => v_encrypted

                                       );

      RETURN v_encrypted;

   END;
 
 

   FUNCTION decrypt (p_raw IN RAW)

      RETURN VARCHAR2

   IS

      v_decrypted   VARCHAR2 (32767);

   BEGIN

      DBMS_OBFUSCATION_TOOLKIT.desdecrypt (input               => p_raw,

                                           KEY                 => g_key,

                                           decrypted_data      => v_decrypted

                                          );

      RETURN RTRIM (UTL_RAW.cast_to_varchar2 (v_decrypted), g_pad_chr);

   END;

Open in new window

0
 
LVL 14

Expert Comment

by:GGuzdziol
Comment Utility
Probably you want field "password" in your table to become RAW datatype in this case.
Then you can write
create or replace trigger <put_name_here>

  before insert or update of password

  on credentials

  for each row

begin

  :new.password := encrypt(:new.password);

end;

Open in new window

0
 
LVL 14

Accepted Solution

by:
GGuzdziol earned 500 total points
Comment Utility
Another story is that it doesn't make too much sense to just ecrypt password. It would be probably better if you hash'ed them - so this is one way transformation. Then when you check credentials table (i.e. check if login is correct) you do not decrypt value in the table, but rather hash input value an compare with hash stored in your table. This gives you more reliable way of authenticating as you are no longer vulnerable of stealing passwords since they are useless.
create or replace trigger <put_name_here>

  before insert or update of password

  on credentials

  for each row

begin

  :new.password := encrypt(:new.password);

end;

Open in new window

0
 

Author Closing Comment

by:CRISTIANO_CORRADI
Comment Utility
The trigger you've written is perfect for my objective ;-)  THANKS
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now