9 Replies Latest reply: Feb 6, 2009 2:06 PM by 636750 RSS

    How to encrypt credit card numbers in db?

    669771
      Hi,

      what is the best and recommended method for credit card encryption?
      We using TDE but when samebody connect into dba have full access. Of course we using dbms_crypto for card number column.
      But we want to use asymmetrical cypher with private and public key like RSA or...

      Regards,
      Tom
      http://oracledba.cz
        • 1. Re: How to encrypt credit card numbers in db?
          Mohammed Mehraj Hussain
          hi.

          plz go thro the below link

          http://www.oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php

          regards,
          Mohd Mehraj Hussain
          http://mehrajdba.wordpress.com
          • 2. Re: How to encrypt credit card numbers in db?
            669771
            I found that dbms_crypto provides RSA algorithm.
            so we can use it.

            reg.
            Tom
            • 3. Re: How to encrypt credit card numbers in db?
              19426
              The DBA access problem is addressed by Database Vault:

              http://download.oracle.com/docs/cd/B28359_01/server.111/b31222/toc.htm

              Werner
              • 4. Re: How to encrypt credit card numbers in db?
                Mohammed Mehraj Hussain
                yes u can use that also...


                GRANT execute ON dbms_crypto TO hr;


                CREATE OR REPLACE FUNCTION Hash_encrypt(info IN VARCHAR2) RETURN RAW IS
                BEGIN
                RETURN DBMS_CRYPTO.HASH(UTL_I18N.STRING_TO_RAW (info, ‘AL32UTF8′),
                DBMS_CRYPTO.HASH_MD5);
                END;
                /





                create table employee(
                user_id number(10),
                pass varchar2(100));

                Insert into employee_auth (user_id,pass) values (2321344, hash_encrypt('praveen'));

                Insert into employee_auth (user_id,pass) values (2321345, hash_encrypt('swarna'));


                SQL> SELECT * FROM employee_auth;
                USER_ID pass
                ---------- ---------------------
                2321344 45BECD6C5DD83E2179CD81DF8640CD5A
                2321345 5B582710926DC297202DB3926EDA5C9F


                regards,
                Mohd Mehraj Hussain
                http://mehrajdba.wordpress.com

                Edited by: Mohd Mehraj Hussain on Feb 2, 2009 4:12 PM
                • 6. Re: How to encrypt credit card numbers in db?
                  JustinCave
                  Note that while it is perfectly appropriate to hash something like a user's password in the database because you don't need to recover the password, it would not be appropriate to hash something like a user's credit card number that you do, presumably, want to recover at some point. A hash is a one-way process, encryption is a reversible process (assuming you have the key, of course).

                  If you are going to hash a password, you generally also want to hash more than just the password. Otherwise, it is possible to just copy a password hash from one user to another (i.e. copying the password hash from a known low-privilege user account to a higher-privilege account). You would generally want to hash the combination of the user name, password, and some salt (i.e. a string constant of some sort).

                  Justin
                  • 7. Re: How to encrypt credit card numbers in db?
                    669771
                    Hi,

                    I found oracle crypto and we will use it http://download-uk.oracle.com/docs/cd/B25221_04/security.1013/b25372/crypto.htm#BJFIHJFH
                    but it generates an errors:

                    SQL> CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "NetsafeCrypt" AS
                    2 import java.lang.*;
                    3 import java.io.*;
                    4 import oracle.security.crypto.core.*;
                    5 import oracle.security.crypto.util.*;
                    6
                    7 public class NetsafeCrypt {
                    8 public static String RSAEncrypt(String data, String pubKeyData) {
                    9 RSAPublicKey pubKey = RSAPublicKey(pubKeyData.getBytes());
                    10 return "abc";
                    11 }
                    12 };
                    13 /

                    Warning: Java created with compilation errors.

                    SQL> show error
                    Errors for JAVA SOURCE "NetsafeCrypt":

                    LINE/COL ERROR
                    -------- -----------------------------------------------------------------
                    0/0 NetsafeCrypt:8: cannot find symbol
                    0/0 symbol : class RSAPublicKey
                    0/0 location: class NetsafeCrypt
                    0/0 RSAPublicKey pubKey = RSAPublicKey(pubKeyData.getBytes());
                    0/0 ^
                    0/0 2 errors
                    0/0 symbol : method RSAPublicKey(byte[])
                    0/0 location: class NetsafeCrypt
                    0/0 RSAPublicKey pubKey = RSAPublicKey(pubKeyData.getBytes());
                    0/0 ^
                    0/0 NetsafeCrypt:8: cannot find symbol

                    My CLASSPATH is ok.
                    echo $CLASSPATH
                    /opt/app/oracle/product/11/db_1/JRE:/opt/app/oracle/product/11/db_1/jlib:/opt/app/oracle/product/11/db_1/rdbms/jlib:/opt/app/oracle/product/11/db_1/network/jlib:/opt/app/oracle/product/11/db_1/jlib/osdt_core.jar


                    Regards,
                    Tom
                    • 8. Re: How to encrypt credit card numbers in db?
                      669771
                      Hi,

                      I dont know why sqlplus (oracle) doesn't accept CLASSPATH because when I load java into oracle directly it works.

                      1)loadjava -u tsolar/**** -v /opt/app/oracle/product/11/db_1/jlib/osdt_core.jar

                      2)
                      CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "NetsafeCrypt" AS
                      import java.lang.*;
                      import java.io.*;
                      import oracle.security.crypto.core.*;
                      import oracle.security.crypto.util.*;

                      public class NetsafeCrypt {
                      public static String RSAEncrypt(String data, String pubKeyData) {
                      try {
                      RSAPublicKey pubKey = new RSAPublicKey(pubKeyData.getBytes());
                      } catch (Exception exception) {
                      }
                      return "abc";
                      }
                      };
                      /

                      Java created.


                      QUESTION:
                      are there any other variables? I dont know if I missed any.

                      Regards,
                      Tom
                      http://oracledba.cz
                      • 9. Re: How to encrypt credit card numbers in db?
                        636750
                        Where can I find the below mentioned packages:

                        oracle.security.crypto.core.*;
                        oracle.security.crypto.util.*;


                        Sorry to bother I found out that I needed to export osdt_core.jar file.

                        Edited by: Monk on Feb 6, 2009 3:04 PM