How to use DBMS_CRYPTO package for Oracle password encryption/hashing

Oracle security expert Brian Fedorko explains how to perform Oracle password encryption and Oracle password hashing with the DBMS_CRYPTO package in this tip.

I am working on a project with VB.NET 2008 as the front end and Oracle 10g Express Edition as the back end.

I am maintaining a table called USER which stores userid and password. Now I want to encrypt the password and store...

it in the database, and the same encrypted password must be accessed and checked with the user entered password in VB.NET 2008. How can this be done?

What you are looking for is all contained in the DBMS_CRYPTO package. Everything you need to encrypt, hash or obfuscate data is in there. With this standard, Oracle-supplied package, the hardest part is determining which method is most appropriate for your application.

As a rule of thumb, hashing application passwords is really the best way to go about it, for internal apps that may not need extreme levels of security. (This is the same method Oracle uses in 11g for protecting and validating database user passwords.) A properly salted SHA-1 hash provides really excellent resistance to cracking, without the need to manage encryption keys! All you would have to do is hash the password through one of DBMS_CRYPTO's hashing procedures and compare that to the original, hashed password value in you user table.

If you MUST use encryption, key management is critical -- it will make or break the security of the entire process. Please do not consider putting the key, or direct references in the PL/SQL procedures you used to call DBMS_CRYPTO – the Oracle wrap utility used to obscure your code is easily defeated by direct attack in 10g and below. 11g is actually much better in this regard, plus there are many free and commercial unwrapping utilities available. Proper key management is very complex and difficult to do properly. Often, a "weaker" but properly implemented obfuscation process will render a more secure system than a poorly implemented "strong" algorithm.

This was first published in August 2009

Dig Deeper on Oracle database security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: