473,836 Members | 1,521 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

decryption of encrypted DB2 UDB LUW column without using DB2 decrypt function

The information center writes:

"Encryption Algorithm: The internal encryption algorithm used is RC2
block cipher with padding, the 128-bit secret key is derived from the
password using a MD2 message digest.
"

and also explains how the length of the encrypted column can be
derived.

How to understand this explanation so that encrypted column data could
be decrypted without using the decrypt routine?

First the MD2 explanation: the 128-bit secret key is derived from the
password using a MD2 message digest:

How is the MD2 derived from the password?

And also:

For encrypted data with no hint:

"
maximum length of the non-encrypted data + 8 bytes + the number of
bytes to the next 8 byte boundary = encrypted data column length.
"
RC2 is a 8 bytes block size algorithm. What is the padding of the data
and what are the extra 8-bytes?

And how is the hint implemented?
Bernard Dhooghe

Dec 20 '06 #1
2 7699
Bernard Dhooghe wrote:
The information center writes:

"Encryption Algorithm: The internal encryption algorithm used is RC2
block cipher with padding, the 128-bit secret key is derived from the
password using a MD2 message digest.
"

and also explains how the length of the encrypted column can be
derived.

How to understand this explanation so that encrypted column data could
be decrypted without using the decrypt routine?
The objective of encryption is to not allow viewing the data without
using the decryption routine. If you really want to do this, you need to
contact the codebreaking staff at the United States NSA (National
Security Agency). Be prepared for visits from a number of different
government agencies if you do this.
>
First the MD2 explanation: the 128-bit secret key is derived from the
password using a MD2 message digest:

How is the MD2 derived from the password?
The password is fed into the MD2 hashing algorithm which should append a
checksum to the password then hashes the result into a 32 bit field. The
objective of the hash is to make a unique "signature" that the
password/checksum generates that no other password will generate the
same "signature" . The combination of password and the checksum make it
very difficult to find another password that will yield the same 32 bit
result.

As an aside, the use of MD2 is interesting. It is an algorithm optimized
for 8-bit processors. Other digesting mechanisms for 32-bit
architectures should have better performance. The choice of MD2 may have
been influenced by U.S. export restrictions on cryptographic mechanisms.
>
And also:

For encrypted data with no hint:

"
maximum length of the non-encrypted data + 8 bytes + the number of
bytes to the next 8 byte boundary = encrypted data column length.
"
RC2 is a 8 bytes block size algorithm. What is the padding of the data
and what are the extra 8-bytes?
RC2 works on 8 bytes of data at a time. If the data to be encrypted is
not a multiple of 8 then the data must be padded out to the next
multiple of 8.

The RC2 combines the password digest with a "salt" to further expand the
encryption key. The salt is always sent, unencrypted, with the encrypted
message. Salts range from 40 to 88 bits so I'd suspect the eight extra
bytes are a 64 bit (or less) salt value.
http://www.rsasecurity.com/rsalabs/node.asp?id=2249
>
And how is the hint implemented?
The hint is stored (unencrypted) with the encrypted data. Pass the
encrypted data to the GETHINT scalar function to retrieve the hint.
Present it to the user and then ask the user for the password.
>
Bernard Dhooghe
It's more likely that your user will forget the password and you won't
be able to retrieve the data. If this is a concern, then you must
implement some password mechanism that will force your users to store
passwords in a secure "vault" that can be opened with appropriate
authorization. The only way I know of to do this, where multiple users
access a database, involves the use of asymetric encryption which uses
different keys to encrypt and decrypt. This type of encryption is many
many times slower than the symmetrical encryption technique implemented
in DB2 and is not suitable for high performance applications.

Phil Sherman
Dec 21 '06 #2
I also think the choosen implementation is just not to see the data
without some extra coding/control, together with a performant
implementation.

The question is how to decrypt columns, having access to the password,
but not using the DB2 routines.

The algorithms used are well known, this is not a real problem, just
the correct data feed.

The Information Center writes:

"Administra tion of encrypted data: Encrypted data can only be decrypted
on servers that support the decryption functions corresponding to the
ENCRYPT function."
"

Correct:

followed by:

"
Therefore, replication of columns with encrypted data should only be
done to servers that support the DECRYPT_BIN or the DECRYPT_CHAR
function.
"

to be completed with: 'or servers implementing decrypt functions
corresponding to the ENCRYPT function'.
Bernard Dhooghe

Phil Sherman wrote:
Bernard Dhooghe wrote:
The information center writes:

"Encryption Algorithm: The internal encryption algorithm used is RC2
block cipher with padding, the 128-bit secret key is derived from the
password using a MD2 message digest.
"

and also explains how the length of the encrypted column can be
derived.

How to understand this explanation so that encrypted column data could
be decrypted without using the decrypt routine?

The objective of encryption is to not allow viewing the data without
using the decryption routine. If you really want to do this, you need to
contact the codebreaking staff at the United States NSA (National
Security Agency). Be prepared for visits from a number of different
government agencies if you do this.

First the MD2 explanation: the 128-bit secret key is derived from the
password using a MD2 message digest:

How is the MD2 derived from the password?

The password is fed into the MD2 hashing algorithm which should append a
checksum to the password then hashes the result into a 32 bit field. The
objective of the hash is to make a unique "signature" that the
password/checksum generates that no other password will generate the
same "signature" . The combination of password and the checksum make it
very difficult to find another password that will yield the same 32 bit
result.

As an aside, the use of MD2 is interesting. It is an algorithm optimized
for 8-bit processors. Other digesting mechanisms for 32-bit
architectures should have better performance. The choice of MD2 may have
been influenced by U.S. export restrictions on cryptographic mechanisms.

And also:

For encrypted data with no hint:

"
maximum length of the non-encrypted data + 8 bytes + the number of
bytes to the next 8 byte boundary = encrypted data column length.
"
RC2 is a 8 bytes block size algorithm. What is the padding of the data
and what are the extra 8-bytes?

RC2 works on 8 bytes of data at a time. If the data to be encrypted is
not a multiple of 8 then the data must be padded out to the next
multiple of 8.

The RC2 combines the password digest with a "salt" to further expand the
encryption key. The salt is always sent, unencrypted, with the encrypted
message. Salts range from 40 to 88 bits so I'd suspect the eight extra
bytes are a 64 bit (or less) salt value.
http://www.rsasecurity.com/rsalabs/node.asp?id=2249

And how is the hint implemented?

The hint is stored (unencrypted) with the encrypted data. Pass the
encrypted data to the GETHINT scalar function to retrieve the hint.
Present it to the user and then ask the user for the password.

Bernard Dhooghe

It's more likely that your user will forget the password and you won't
be able to retrieve the data. If this is a concern, then you must
implement some password mechanism that will force your users to store
passwords in a secure "vault" that can be opened with appropriate
authorization. The only way I know of to do this, where multiple users
access a database, involves the use of asymetric encryption which uses
different keys to encrypt and decrypt. This type of encryption is many
many times slower than the symmetrical encryption technique implemented
in DB2 and is not suitable for high performance applications.

Phil Sherman
Dec 21 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
35089
by: Jim Geissman | last post by:
Take a table, where not all the columns are populated: CREATE TABLE #T (A int, B int, C int, D int) INSERT #T (A,B) VALUES (1,2) INSERT #T (A,B) VALUES (3,4) INSERT #T (A,B) VALUES (5,6) INSERT #T (A,B) VALUES (7,8) INSERT #T (A,B) VALUES (9,10) The values for C and D can be computed as functions of A and B. For this
1
1510
by: Andrew Biagioni | last post by:
Hi all! I'm trying to write a general-purpose trigger that determines what fields have changed during an UPDATE, but I'm running into a problem. I'm trying to dynamically select the value from a field in "old" and "new" (the old and new values for the changed row), but I can't figure out how to do so. I tried something like,
4
8181
by: uspensky | last post by:
I have a table (cars) with 3 fields: VIN, Class, sell_price 101, sports, 10000 102, sports, 11000 103, luxury, 9000 104, sports, 11000 105, sports, 11000 106, luxury, 5000 107, sports, 11000
2
2012
by: srini4vasan | last post by:
#include <stdio.h> int main() { char n, m; puts (" Enter the first string and . to terminate :"); do { n = getchar(); putchar(n);
6
2055
by: SanPy | last post by:
The subject of this message might be a little cryptic, so here's an example of what I mean: def foo(): """doc string of foo""" print foo.__doc__ doc string of foo What I want to know is whether it is possible to call __doc__ against
1
2425
by: Ozone | last post by:
Hi, I need to know how to validate encrypted column which may by chance loads clear text or unencrypted value. An exception should be triggered if encrypted column receives any clear text data. kinldy help me out in solving this!!
6
6492
by: cthoes | last post by:
following program does the display of student details but i want to search for the particular student name from the added list of student. so it would be great any one can help me without using strcmp() function #include<stdio.h> #include<string.h> int main(){ int i,n;
0
1242
by: kumardharanik | last post by:
i need to fill the datatable(datagridview) without using the database.. Here is my code.. But i cant able to fill the datatable [CODE} Public Sub CreateDatatable() dtable = New DataTable("purchasedetails_table") Dim column As DataColumn column = New DataColumn()
0
9825
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10846
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10551
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10595
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10254
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9379
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
6979
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5650
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
4021
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.