There are a lot of blog entries that describe how to encrypt and decrypt information in an Oracle database using DBMS_Crypto. Another considerably high amount of blog entries describe how to encrypt and decrypt information with Java. But this blog entry may be the first (or one of the few ones) that addresses both technologies and explains how to decrypt a String in Java that was encrypted using DBMS_Crypto. I found interesting to describe this process, because even though we are talking here of standard procedures and algorithms, there are some elements that are specific to each technology that need to be considered first in order for this process to work.

But before we begin, let me talk about the title. I am calling this blog “First steps” because it is only intended to explain the basic decryption procedure and it should not be taken as guide on how to implement security in an organisation. The code and algorithms from this blog should only be taken as an example and not as a best practice.

Having said that lets start by defining some concepts:

Algorithm

There are a lot of standard encryption algorithms available to choose. Before you start with the encryption, you will have to choose which algorithm suits your needs better. Also, you will have to decide which mode and which padding to use. All this information will also be needed when the decryption takes place. For example: in the Oracle DB, the algorithm dbms_crypto.DES_CBC_PKCS5 will translate to DES/CBC/PKCS5Padding in Java.

Key

The key is the password used to encrypt the information. The decrypting part will need to know the password along with the algorithm in order to succeed.

Vector

The initialisation vector is needed by some of the modes, like CBC. It is not mandatory but it needs to be taken into account.

Having defined all these concepts, lets put them to work.

Encrypting with DBMS_Crypto.

The DB stuff part:

Encrypting with dbms_crypto is quite straightforward. Take a look at the example:

The first parameter is the information we want to encrypt (Secret data in this case). The second parameter, 4353, is the algorithm number and it can be obtained using the dbms_crypto package. The id for other algorithms, like AES256-CBC-NoPadding can be obtained by adding the ids of the parts like this:

+ DBMS_CRYPTO.CHAIN_CBC

+ DBMS_CRYPTO.PAD_PKCS5;

The third parameter is the key or password. The last parameter is the vector, and as mentioned above, it is optional.

The Java Stuff part:

The code for decrypting the information is a little bit more complex. It looks like this:

The first thing to do is to define the algorithm used to encrypt the information; in this case it was “DES/CBC/PKCS5Padding”. Java doesn’t make a distinction like the Oracle DB between AES and AES256. But you will have to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 (quite fancy name, eh?) if you decide to use the latter. To define the key we will have to process the RAW value. If you remember, the Key was defined like this: UTL_RAW.CAST_TO_RAW (‚MYKEY123‘). The RAW value of MYKEY123 is 4D49434C41564544. In Java we will have to parse this value using DatatypeConverter.parseHexBinary. The same can be said about the value field. It was transformed into RAW resulting in 24FC80D150E224F2E8CE83229F38B607ADAF312BCB1B4A55.

We have also to define and initialize the vector since we used one for the encryption. Again we will have to parse the RAW value and pass it to IvParameterSpec. In some cases an empty vector will have to be provided if the vector wasn’t defined when the encryption was done but the algorithm requires one.

The next step is to define the secret key specification. For that you will need to create a SecretKeySpec object and pass it the key and the name of the algorithm (DES in this case). With all this in place, and some additional “try-catches”, we can instantiate the remaining objects and finally decrypt the value.

Conclusion

Both Java and the Oracle DB use the existing standards to implement the encryption process. Nevertheless, there are some technology specifics that can make this process more complicated if you don’t know about them. The above examples are just the first steps in this area and you should definitely read more about security if you are willing to work with encryption in a productive environment, where sensible information is being exchanged.

References

https://dzone.com/articles/data-encryptiondecryption-with-oracle

dbms_crypto example

https://www.programcreek.com/java-api-examples/javax.crypto.Cipher