Solved

TRIGGER for CRYPTING the PASSWORD field when INSERTING or UPDATING a new record.

Posted on 2008-10-07
5
353 Views
Last Modified: 2013-12-18
Good evening!

Please suppose you have a table called CREDENTIALS, with two fields: USERNAME VARCHAR2(30), and PASSWORD VARCHAR2(30).

Of course I can insert new credentials when I wish to allow a new user to use our system:

INSERT INTO CREDENTIALS VALUES ('SCOTT', 'TIGER');
COMMIT;

But the password, 'TIGER', is not encrypted, so other users - as well as DBAs - can see the password simply SELECTing the CREDENTIALS table...!!  For me it is a security problem.

I would like to write a TRIGGER that, on every insert or update in the PASSWORD field, automatically encrypts the field PASSWORD.

Can you help me?
0
Comment
Question by:CRISTIANO_CORRADI
  • 3
  • 2
5 Comments
 

Author Comment

by:CRISTIANO_CORRADI
ID: 22658150
Please assume I am obliged to use these functions for crypting / encrypting:

   FUNCTION encrypt (p_text IN VARCHAR2)
      RETURN RAW
   IS
      v_text        VARCHAR2 (32767) := p_text;
      v_encrypted   RAW (32767);
   BEGIN
      padstring (v_text);
      DBMS_OBFUSCATION_TOOLKIT.desencrypt
                                       (input               => UTL_RAW.cast_to_raw
                                                                       (v_text),
                                        KEY                 => g_key,
                                        encrypted_data      => v_encrypted
                                       );
      RETURN v_encrypted;
   END;


   FUNCTION decrypt (p_raw IN RAW)
      RETURN VARCHAR2
   IS
      v_decrypted   VARCHAR2 (32767);
   BEGIN
      DBMS_OBFUSCATION_TOOLKIT.desdecrypt (input               => p_raw,
                                           KEY                 => g_key,
                                           decrypted_data      => v_decrypted
                                          );
      RETURN RTRIM (UTL_RAW.cast_to_varchar2 (v_decrypted), g_pad_chr);
   END;
0
 

Author Comment

by:CRISTIANO_CORRADI
ID: 22658153

   FUNCTION encrypt (p_text IN VARCHAR2)

      RETURN RAW

   IS

      v_text        VARCHAR2 (32767) := p_text;

      v_encrypted   RAW (32767);

   BEGIN

      padstring (v_text);

      DBMS_OBFUSCATION_TOOLKIT.desencrypt

                                       (input               => UTL_RAW.cast_to_raw

                                                                       (v_text),

                                        KEY                 => g_key,

                                        encrypted_data      => v_encrypted

                                       );

      RETURN v_encrypted;

   END;
 
 

   FUNCTION decrypt (p_raw IN RAW)

      RETURN VARCHAR2

   IS

      v_decrypted   VARCHAR2 (32767);

   BEGIN

      DBMS_OBFUSCATION_TOOLKIT.desdecrypt (input               => p_raw,

                                           KEY                 => g_key,

                                           decrypted_data      => v_decrypted

                                          );

      RETURN RTRIM (UTL_RAW.cast_to_varchar2 (v_decrypted), g_pad_chr);

   END;

Open in new window

0
 
LVL 14

Expert Comment

by:GGuzdziol
ID: 22658455
Probably you want field "password" in your table to become RAW datatype in this case.
Then you can write
create or replace trigger <put_name_here>

  before insert or update of password

  on credentials

  for each row

begin

  :new.password := encrypt(:new.password);

end;

Open in new window

0
 
LVL 14

Accepted Solution

by:
GGuzdziol earned 500 total points
ID: 22658468
Another story is that it doesn't make too much sense to just ecrypt password. It would be probably better if you hash'ed them - so this is one way transformation. Then when you check credentials table (i.e. check if login is correct) you do not decrypt value in the table, but rather hash input value an compare with hash stored in your table. This gives you more reliable way of authenticating as you are no longer vulnerable of stealing passwords since they are useless.
create or replace trigger <put_name_here>

  before insert or update of password

  on credentials

  for each row

begin

  :new.password := encrypt(:new.password);

end;

Open in new window

0
 

Author Closing Comment

by:CRISTIANO_CORRADI
ID: 31503776
The trigger you've written is perfect for my objective ;-)  THANKS
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Truncate is a DDL Command where as Delete is a DML Command. Both will delete data from table, but what is the difference between these below statements truncate table <table_name> ?? delete from <table_name> ?? The first command cannot be …
Configuring and using Oracle Database Gateway for ODBC Introduction First, a brief summary of what a Database Gateway is.  A Gateway is a set of driver agents and configurations that allow an Oracle database to communicate with other platforms…
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now