Database Reference
In-Depth Information
C H A P T E R 6
Secret Password Encryption
What I am calling secret password encryption (password encryption) is also known as shared secret
passphrase encryption and password-based encryption (PBE). Basically, the idea is that a single
passphrase (or password—I will be using those words interchangeably) is known by two parties, and
they each encrypt messages or data to pass to each other using that password. The same password is
used by the recipient to decrypt the messages and data. No one else can decrypt the data because the
password is a secret, shared only by the two parties.
Password encryption is beneficial to us for several reasons, chief of which is that it can be used for
encryption of larger blocks of data. We will be using the U.S. data encryption standard (DES) with cipher
block chaining (CBC) to automatically break any size data into appropriate blocks for encryption; then
upon decryption, assemble the results back into the original data.
Another benefit of password encryption is that there is no public key—that is, no one else knows the
key we are using to encrypt the data, assuming we have adequately protected the password. An
alternative approach is to have public key encryption from both client and the server, each encrypting
the data with the other's public key, only to be read by the recipient. And for added assurance, have each
encrypt their messages first with their own private key, then with the other's public key. Think that
through and you'll see that not only can only the recipient decrypt the message, but also only the
expected sender could send it. (Add a trusted Certificate Authority (CA) like VeriSign and you have
identity assurance as well—everyone is who they say they are.) However, we are going to get most of
those benefits with only our secret password encryption.
We are going to create a passphrase on the Oracle server and pass it back to the client in secret. We
will make it secret by encrypting the passphrase with the client's RSA public key. To do this, the client
will have already passed the public key artifacts (modulus and exponent) to the Oracle server. Only the
client can decrypt the secret passphrase using the private key.
One last benefit of using password encryption in addition to RSA public key encryption is that any
assailant will have to attack both protocols to intercept our data.
Approach
As you read through this chapter, you will want to open the referenced files to follow along in the full
code listing. First we are going to discuss the Java code that we implement for secret password
encryption, because it is in Java that we will be building the encryption key and doing the encryption.
However, we will not compile and run the Java code until the end of the chapter. Then we will run it in
two phases: the first will be doing both encryption and decryption in Java on the client computer; the
second phase will accomplish secret password encryption key exchange between the client computer
and Oracle database and will demonstrate client/server encryption/decryption.
Before we get to the testing phases at the end of the chapter, we will also discuss the Oracle SQL
code required for this process. Feel free to execute the SQL code to create the structures we need on
