我们的数据库团队希望从PUBLIC撤消对DBMS_RANDOM的执行以解决安全问题.如果你谷歌为它,一些安全专家认为该包危险,但没有说明原因. Ingram和Shaul的书“Practical Oracle Security”指出
…granting PUBLIC access to DBMS_RANDOM in environments where the
function is used in cryptographic key generation could lead to
compromise of the encrypted data…
Oracle文档说
DBMS_RANDOM is not intended for cryptography.
……而且……
DBMS_CRYPTO.RANDOMBYTES … returns a RAW value containing a
cryptographically secure pseudo-random sequence of bytes,which can be
used to generate random material for encryption keys.
所以,DMBS_RANDOM似乎可以用于生成伪随机数(只要你不用它来构造密码).为什么这对PUBLIC来说太危险了?
编辑:
刚刚找到一个新的source,声称
DBMS_RANDOM: allows encrypting of data without requiring safe management of encryption keys.
这也是胡说八道,不是吗?