DECRYPT v13
The DECRYPT function or procedure decrypts data using a user-specified cipher algorithm, key and optional initialization vector. The signature of the DECRYPT function is:
DECRYPT (<src> IN RAW, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW DEFAULT NULL) RETURN RAW
The signature of the DECRYPT procedure is:
DECRYPT (<dst> INOUT BLOB, <src> IN BLOB, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW DEFAULT NULL)
or
DECRYPT (<dst> INOUT CLOB, <src> IN CLOB, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW DEFAULT NULL)
When invoked as a procedure, DECRYPT returns BLOB or CLOB data to a user-specified BLOB.
Parameters
dst
dst specifies the name of a BLOB to which the output of the DECRYPT procedure will be written. The DECRYPT procedure will overwrite any existing data currently in dst.
src
src specifies the source data that will be decrypted. If you are invoking DECRYPT as a function, specify RAW data; if invoking DECRYPT as a procedure, specify BLOB or CLOB data.
typ
typ specifies the block cipher type and any modifiers. This should match the type specified when the src was encrypted. Advanced Server supports the following block cipher algorithms, modifiers and cipher suites:
| Block Cipher Algorithms | |
|---|---|
ENCRYPT_DES | CONSTANT INTEGER := 1; |
ENCRYPT_3DES | CONSTANT INTEGER := 3; |
ENCRYPT_AES | CONSTANT INTEGER := 4; |
ENCRYPT_AES128 | CONSTANT INTEGER := 6; |
ENCRYPT_AES192 | CONSTANT INTEGER := 192; |
ENCRYPT_AES256 | CONSTANT INTEGER := 256; |
| Block Cipher Modifiers | |
CHAIN_CBC | CONSTANT INTEGER := 256; |
CHAIN_ECB | CONSTANT INTEGER := 768; |
| Block Cipher Padding Modifiers | |
PAD_PKCS5 | CONSTANT INTEGER := 4096; |
PAD_NONE | CONSTANT INTEGER := 8192; |
| Block Cipher Suites | |
DES_CBC_PKCS5 | CONSTANT INTEGER := ENCRYPT_DES + CHAIN_CBC + PAD_PKCS5; |
DES3_CBC_PKCS5 | CONSTANT INTEGER := ENCRYPT_3DES + CHAIN_CBC + PAD_PKCS5; |
AES_CBC_PKCS5 | CONSTANT INTEGER := ENCRYPT_AES + CHAIN_CBC + PAD_PKCS5; |
key
key specifies the user-defined decryption key. This should match the key specified when the src was encrypted.
iv
iv (optional) specifies an initialization vector. If an initialization vector was specified when the src was encrypted, you must specify an initialization vector when decrypting the src. The default is NULL.
Examples
The following example uses the DBMS_CRYPTO.DECRYPT function to decrypt an encrypted password retrieved from the passwords table:
CREATE TABLE passwords ( principal VARCHAR2(90) PRIMARY KEY, -- username ciphertext RAW(9) -- encrypted password ); CREATE FUNCTION get_password(username VARCHAR2) RETURN RAW AS typ INTEGER := DBMS_CRYPTO.DES_CBC_PKCS5; key RAW(128) := 'my secret key'; iv RAW(100) := 'my initialization vector'; password RAW(2048); BEGIN SELECT ciphertext INTO password FROM passwords WHERE principal = username; RETURN dbms_crypto.decrypt(password, typ, key, iv); END;
Note that when calling DECRYPT, you must pass the same cipher type, key value and initialization vector that was used when ENCRYPTING the target.