Database Reference
In-Depth Information
/
ALTER TRIGGER appsec.t_application_key_budr ENABLE;
Let's go ahead and insert several records into
v_application_key
, one of which we will use. See
Listing 11-17. We will use the
RANDOMBYTES
function in the
DBMS_CRYPTO
package to generate a string of 128
random bytes to use as our key genesis. I'm saying
key genesis
because, as you'll see, the real
encryption/decryption key is assembled from these key bytes later on.
Listing 11-17.
Insert Several Random Encryption at Rest Keys
INSERT INTO appsec.v_application_key
( key_version, key_bytes )
VALUES
( 1, SYS.DBMS_CRYPTO.RANDOMBYTES(1024/8) );
Also insert values for
key_version
numbers 2 through 5 using the same
INSERT
command.
Functions to Encrypt/Decrypt Data at Rest
We are going to build two Oracle stored functions to do server-side encryption of data to be stored in the
database, and to decrypt it for use, as required. They are keyed to a specific version of the key genesis
bytes in
t_application_key
, and they use
DBMS_CRYPT
package to do encryption. We will make this
difficult to duplicate by not taking our data and our key bytes and going straight to encryption; rather,
we will perform several operations on the key bytes first. Anyone reading these functions will be able to
tell what we are doing, and will be able to duplicate it, so we are going to hide the function code by
passing these functions through the Oracle Wrap utility to obfuscate the code.
I encourage you to take these functions as a starting place, and modify them sufficiently to change
the encryption process, then save a copy somewhere safe but hidden. You will convert them to wrapped
functions, which will not be legible.
Our original
f_mask
function, shown in Listings 11-18 through 11-21, takes the clear text connection
strings list in the form of a
RAW
. It also takes the class name and version of the application inner class. It
returns an encrypted
RAW
holding the list of connection strings.
Listing 11-18.
Signature of Function to Encrypt Data for Storage
CREATE OR REPLACE FUNCTION appsec.f_mask(
clear_raw RAW,
m_class_name v_app_conn_registry.class_name%TYPE,
m_class_version v_app_conn_registry.class_version%TYPE )
RETURN RAW
We hard-code a specific
key_version
number of the genesis key bytes—version 4 in this instance
(see Listing 11-19). This is a rather random decision on our part. We select the
key_bytes
for that version
from
v_application_key
. We get the
key_bytes
into a variable named
app_key
.