DECRYPT

The DECRYPT function or procedure decrypts data using a user-specified cipher algorithm, key and optional initialization vector. The signature of the DECRYPT function is:

DECRYPT
  (<src> IN RAW, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW
   DEFAULT NULL) RETURN RAW

The signature of the DECRYPT procedure is:

DECRYPT
  (<dst> INOUT BLOB, <src> IN BLOB, <typ> IN INTEGER, <key> IN RAW,
   <iv> IN RAW DEFAULT NULL)

or

DECRYPT
  (<dst> INOUT CLOB, <src> IN CLOB, <typ> IN INTEGER, <key> IN RAW,
   <iv> IN RAW DEFAULT NULL)

When invoked as a procedure, DECRYPT returns BLOB or CLOB data to a user-specified BLOB.

Parameters

dst

dst specifies the name of a BLOB to which the output of the DECRYPT procedure will be written. The DECRYPT procedure will overwrite any existing data currently in dst.

src

src specifies the source data that will be decrypted. If you are invoking DECRYPT as a function, specify RAW data; if invoking DECRYPT as a procedure, specify BLOB or CLOB data.

typ

typ specifies the block cipher type and any modifiers. This should match the type specified when the src was encrypted. Advanced Server supports the following block cipher algorithms, modifiers and cipher suites:

Block Cipher Algorithms

ENCRYPT_DES

CONSTANT INTEGER := 1;

ENCRYPT_3DES

CONSTANT INTEGER := 3;

ENCRYPT_AES

CONSTANT INTEGER := 4;

ENCRYPT_AES128

CONSTANT INTEGER := 6;

ENCRYPT_AES192

CONSTANT INTEGER := 192;

ENCRYPT_AES256

CONSTANT INTEGER := 256;

Block Cipher Modifiers

CHAIN_CBC

CONSTANT INTEGER := 256;

CHAIN_ECB

CONSTANT INTEGER := 768;

Block Cipher Padding Modifiers

PAD_PKCS5

CONSTANT INTEGER := 4096;

PAD_NONE

CONSTANT INTEGER := 8192;

Block Cipher Suites

DES_CBC_PKCS5

CONSTANT INTEGER := ENCRYPT_DES + CHAIN_CBC + PAD_PKCS5;

DES3_CBC_PKCS5

CONSTANT INTEGER := ENCRYPT_3DES + CHAIN_CBC + PAD_PKCS5;

AES_CBC_PKCS5

CONSTANT INTEGER := ENCRYPT_AES + CHAIN_CBC + PAD_PKCS5;

key

key specifies the user-defined decryption key. This should match the key specified when the src was encrypted.

iv

iv (optional) specifies an initialization vector. If an initialization vector was specified when the src was encrypted, you must specify an initialization vector when decrypting the src. The default is NULL.

Examples

The following example uses the DBMS_CRYPTO.DECRYPT function to decrypt an encrypted password retrieved from the passwords table:

CREATE TABLE passwords
(
  principal VARCHAR2(90) PRIMARY KEY, -- username
  ciphertext RAW(9) -- encrypted password
);

CREATE FUNCTION get_password(username VARCHAR2) RETURN RAW AS
 typ       INTEGER := DBMS_CRYPTO.DES_CBC_PKCS5;
 key       RAW(128) := 'my secret key';
 iv        RAW(100) := 'my initialization vector';
 password  RAW(2048);
BEGIN

  SELECT ciphertext INTO password FROM passwords WHERE principal = username;

  RETURN dbms_crypto.decrypt(password, typ, key, iv);
END;

Note that when calling DECRYPT, you must pass the same cipher type, key value and initialization vector that was used when ENCRYPTING the target.