Solved

TRIGGER for CRYPTING the PASSWORD field when INSERTING or UPDATING a new record.

Posted on 2008-10-07
5
355 Views
Last Modified: 2013-12-18
Good evening!

Please suppose you have a table called CREDENTIALS, with two fields: USERNAME VARCHAR2(30), and PASSWORD VARCHAR2(30).

Of course I can insert new credentials when I wish to allow a new user to use our system:

INSERT INTO CREDENTIALS VALUES ('SCOTT', 'TIGER');
COMMIT;

But the password, 'TIGER', is not encrypted, so other users - as well as DBAs - can see the password simply SELECTing the CREDENTIALS table...!!  For me it is a security problem.

I would like to write a TRIGGER that, on every insert or update in the PASSWORD field, automatically encrypts the field PASSWORD.

Can you help me?
0
Comment
Question by:CRISTIANO_CORRADI
  • 3
  • 2
5 Comments
 

Author Comment

by:CRISTIANO_CORRADI
ID: 22658150
Please assume I am obliged to use these functions for crypting / encrypting:

   FUNCTION encrypt (p_text IN VARCHAR2)
      RETURN RAW
   IS
      v_text        VARCHAR2 (32767) := p_text;
      v_encrypted   RAW (32767);
   BEGIN
      padstring (v_text);
      DBMS_OBFUSCATION_TOOLKIT.desencrypt
                                       (input               => UTL_RAW.cast_to_raw
                                                                       (v_text),
                                        KEY                 => g_key,
                                        encrypted_data      => v_encrypted
                                       );
      RETURN v_encrypted;
   END;


   FUNCTION decrypt (p_raw IN RAW)
      RETURN VARCHAR2
   IS
      v_decrypted   VARCHAR2 (32767);
   BEGIN
      DBMS_OBFUSCATION_TOOLKIT.desdecrypt (input               => p_raw,
                                           KEY                 => g_key,
                                           decrypted_data      => v_decrypted
                                          );
      RETURN RTRIM (UTL_RAW.cast_to_varchar2 (v_decrypted), g_pad_chr);
   END;
0
 

Author Comment

by:CRISTIANO_CORRADI
ID: 22658153

   FUNCTION encrypt (p_text IN VARCHAR2)
      RETURN RAW
   IS
      v_text        VARCHAR2 (32767) := p_text;
      v_encrypted   RAW (32767);
   BEGIN
      padstring (v_text);
      DBMS_OBFUSCATION_TOOLKIT.desencrypt
                                       (input               => UTL_RAW.cast_to_raw
                                                                       (v_text),
                                        KEY                 => g_key,
                                        encrypted_data      => v_encrypted
                                       );
      RETURN v_encrypted;
   END;
 
 
   FUNCTION decrypt (p_raw IN RAW)
      RETURN VARCHAR2
   IS
      v_decrypted   VARCHAR2 (32767);
   BEGIN
      DBMS_OBFUSCATION_TOOLKIT.desdecrypt (input               => p_raw,
                                           KEY                 => g_key,
                                           decrypted_data      => v_decrypted
                                          );
      RETURN RTRIM (UTL_RAW.cast_to_varchar2 (v_decrypted), g_pad_chr);
   END;

Open in new window

0
 
LVL 14

Expert Comment

by:GGuzdziol
ID: 22658455
Probably you want field "password" in your table to become RAW datatype in this case.
Then you can write
create or replace trigger <put_name_here>
  before insert or update of password
  on credentials
  for each row
begin
  :new.password := encrypt(:new.password);
end;

Open in new window

0
 
LVL 14

Accepted Solution

by:
GGuzdziol earned 500 total points
ID: 22658468
Another story is that it doesn't make too much sense to just ecrypt password. It would be probably better if you hash'ed them - so this is one way transformation. Then when you check credentials table (i.e. check if login is correct) you do not decrypt value in the table, but rather hash input value an compare with hash stored in your table. This gives you more reliable way of authenticating as you are no longer vulnerable of stealing passwords since they are useless.
create or replace trigger <put_name_here>
  before insert or update of password
  on credentials
  for each row
begin
  :new.password := encrypt(:new.password);
end;

Open in new window

0
 

Author Closing Comment

by:CRISTIANO_CORRADI
ID: 31503776
The trigger you've written is perfect for my objective ;-)  THANKS
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
execute immediate plsql block 5 48
su - oracle could not open session 6 79
Component is listed with a Protocol more than once 3 32
Database Design Dilemma 6 39
Note: this article covers simple compression. Oracle introduced in version 11g release 2 a new feature called Advanced Compression which is not covered here. General principle of Oracle compression Oracle compression is a way of reducing the d…
Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
Via a live example, show how to take different types of Oracle backups using RMAN.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question