Overview of DBMS_CRYPTO

The DBMS_CRYPTO package provides basic functions and stored procedures for encryption and decryption.

DBMS_CRYPTO supports various industry-standard encryption and hashing algorithms, including the Advanced Encryption Standard (AES). AES has been recognized by the National Institute of Standards and Technology (NIST) as a replacement for the Data Encryption Standard (DES).

DBMS_CRYPTO supports encryption and decryption of common data types, including RAW and large objects (LOBs) such as images and audio. Additionally, DBMS_CRYPTO provides globalization support, enabling data encryption and decryption across databases with different character sets.

Data types of DBMS_CRYPTO

The following table lists the data types used as parameters for the subprograms of the DBMS_CRYPTO package.

Algorithms of DBMS_CRYPTO

The DBMS_CRYPTO package contains predefined encryption algorithms, cipher block chaining algorithms, and cipher block padding algorithms.

• The following encryption hash algorithms are supported:

  Name	Description
  HASH_MD4	Generates a 128-bit hash or message digest for the input message.
  HASH_MD5	Also generates a 128-bit hash, but it is more complex than MD4.
  HASH_SH1	Secure Hash Algorithm (SHA-1). Generates a 160-bit hash.
  HASH_SH256	SHA-2, generates a 256-bit hash.
  HASH_SH384	SHA-2, generates a 384-bit hash.
  HASH_SH512	SHA-2, generates a 512-bit hash.
  HASH_SM3	National Cryptography Algorithm, generates a 256-bit hash.

• The following encryption algorithms are supported:

  Name	Description
  ENCRYPT_AES128	Advanced Encryption Standard (AES) in cipher block mode. Uses a 128-bit key.
  ENCRYPT_AES192	Advanced Encryption Standard (AES) in cipher block mode. Uses a 192-bit key.
  ENCRYPT_AES256	Advanced Encryption Standard (AES) in cipher block mode. Uses a 256-bit key.
  ENCRYPT_DES	Data Encryption Standard (DES) in cipher block mode. Uses a 56-bit key.
  ENCRYPT_3DES_2KEY	Triple Data Encryption Standard (3DES) with two keys. Encrypts the same block three times using two keys. The effective key length is 112 bits.
  ENCRYPT_3DES	Triple Data Encryption Standard (3DES) in cipher block mode. Encrypts the same block three times.
  ENCRYPT_SM4	National Cryptography Algorithm, with a block size and key size of 128 bits.

• The following cipher block chaining algorithms are supported:

  Name	Description
  CHAIN_ECB	Electronic Codebook (ECB) mode. Divides the entire plaintext into several equal segments and encrypts each segment.
  CHAIN_CBC	Cipher Block Chaining (CBC) mode. Divides the plaintext into several segments, then XORs each segment with the initial block or the ciphertext of the previous segment, and encrypts it with the key.
  CHAIN_CFB	Cipher Feedback (CFB) mode. Enables encryption of data units smaller than the block size.
  CHAIN_OFB	Output Feedback (OFB) mode. Allows the block cipher to run as a synchronous stream cipher. Similar to CFB, but the n bits of the previous output block are moved to the right end of the waiting encryption data queue.

• The following cipher block padding algorithms are supported:

  Name	Description
  PAD_PKCS5	The padding algorithm conforms to PKCS #5, which is based on password-based cryptography.
  PAD_NONE	Specifies the option for no padding algorithm. The caller must ensure that the block size is correct; otherwise, the package returns an error.

Limitations of DBMS_CRYPTO

The DBMS_CRYPTO package does not directly support the VARCHAR2 data type. Before encrypting data of the VARCHAR2 type, you must convert it to the unified database character set AL32UTF8 and then to the RAW data type. After these conversions, you can use the DBMS_CRYPTO package to encrypt the data.

Subprograms of DBMS_CRYPTO

The following table lists the DBMS_CRYPTO subprograms supported in the current OceanBase Database version and their brief descriptions.