Generating Keys

It should be apparent from the discussion so far that the weakest link in the chain is the encryption key. To successfully decrypt the encrypted data, the key is literally that—the key, and to protect the encryption, you must make that key very difficult to guess. In the examples we have presented so far, we have used a 16-byte key for DES3 two-pass encryption and a 24-byte key for DES3 three-pass encryption.

There are two important points to remember about using a proper encryption key:

Encryption Basics in Oracle9i Database

  • Encryption can be DES or DES3 (Triple DES); DES3 is preferred.

  • DES3 encryption can be either two-pass or three-pass; two-pass is the default.

  • The length of the value to be encrypted must be a multiple of eight.

  • The key used in encryption must also be used in decryption.

  • The length of the key must be at least 16 for DES, 16 for two-pass DES3, and 24 for three-pass DES3.

  • An initialization vector (IV) can be specified when encrypting for further protection; if used, it must also be specified during decryption.

  • Because the IV, if specified, is prefixed to the input value, the length of the combined value must be a multiple of eight.

  • The longer the key is, the more difficult it is to guess. The two-pass method accepts a key of 128 bits, and the three-pass method accepts a key of 192 bits. To have an acceptable level of encryption, you should use as large a key as possible.

  • In addition to being long, the key should be one that does not follow a pattern or format ...

Get Oracle PL/SQL for DBAs now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial