3

I am using Oracle Database 11g Enterprise Edition Release 11.2.00.40 - 64bit Production. We have a initial admin user which will be created in a database by inserting into a table during the installation. This action requires to encrypt password using SH1 protocol. Acording to Oracle documentation I should be able to use DBMS_CRYPTO package which comes with Enterprise Edition of database. However I am not able to see it. Instead of DBMS_CRYPTO I can see DBMS_CRYPTO_TOOLKIT package. This package is not so well documented but I was able to find that it comes with Oracle 12c and that even confused me more.

Should I install DBMS_CRYPTO package aditionally or to use DBMS_CRYPTO_TOOLKIT package? Is there anybody who can explain how to encrypt pass with DBMS_CRYPTO_TOOLKIT package? I dont have SYS access to database, so I am wondering if there is a way to generate SH1 passwords without using DBMS_CRYPTO that is simple enough? In other words is it worth to install it?

Sanja
  • 397
  • 2
  • 7
  • 24
  • Do you mean DBMS_OBFUSCATION_TOOLKIT (which [is deprecated](https://docs.oracle.com/cd/E11882_01/appdev.112/e40758/d_obtool.htm#ARPLS028)) rather than DBMS_CRYPTO_TOOLKIT? Or really that [undocumented package](http://morganslibrary.org/reference/pkgs/dbms_crypto_toolkit.html)? It sounds like your DBA just needs to grant you execute privileges on DBMS_CRYPTO. – Alex Poole Jan 15 '16 at 09:44
  • No, I mean DBMS_CRYPTO_TOOLKIT. But I also have DBMS_OBFUSCATION_TOOLKIT. Not sure what is a difference between DBMS_CRYPTO_TOOLKIT and DBMS_CRYPTO? Problem is that I dont see DBMS_CRYPTO package. When I try to grant execute privileges I am getting SQL error "table or view does not exist". Command to grant privileges I am running is grant execute on sys.dbms_crypto to user; – Sanja Jan 15 '16 at 09:50
  • 4
    `DBMS_CRYPTO_TOOLKIT` is undocumented so you shouldn't use it. `DBMS_OBFUSCATION_TOOLKIT` is deprecated. Your DBA (or someone with access to SYS, or another very privileged account) has to do that grant of `DBMS_CRYPTO` privileges - as a normal user you can't grant privileges on objects in another schema to yourself, as that would render the privilege system pointless. – Alex Poole Jan 15 '16 at 09:54

1 Answers1

11

The Oracle documentation says:

Security Model

Oracle Database installs this package in the SYS schema. You can then grant package access to existing users and roles as needed.

Ask your system administration to grant access to it:

GRANT EXECUTE ON SYS.DBMS_CRYPTO TO USERXY;

Or even:

GRANT EXECUTE ON SYS.DBMS_CRYPTO TO PUBLIC;

I don't understand what Oracle tries to achieve by not making this package public. I don't see any harm that you can do by using it.

Community
  • 1
  • 1
Codo
  • 75,595
  • 17
  • 168
  • 206
  • It does seem particularly odd given that DBMS_CRYPTO_TOOLKIT is *still* granted to public, even in 19c. I think the reason why access is withheld by default is because some organisations worry about developers hand-rolling shonky encryption routines instead of using enterprise solutions. There are places where the use of DBMS_CRYPTO is explicitly deprecated in the database security policy. – APC Jun 26 '19 at 15:43
  • 1
    Business, Security Architects, Developers and the US Government have always had a challenging time dealing with cryptographic technology. At the time the DBMS_CRYPTO package was built, there were two competing factors: (1) everyone's backend systems were being hacked through the web w/ legal and marketing consequences and (2) weapons grade restrictions on cryptographic algorithms. Oracle needed an application level cryptographic API (vs. the internal Transparent Data Encryption) with a clean, easy to understand and use API. We still had to meet all of the players needs, however. – Andrew Philips May 08 '20 at 16:33