Home » RDBMS Server » Security » Hiding a Field.
Hiding a Field. [message #245593] Mon, 18 June 2007 03:30 Go to next message
Arju
Messages: 1554
Registered: June 2007
Location: Dhaka,Bangladesh. Mobile:...
Senior Member

I have a table named login and it has a field password. How I can hide this field. Is there any way that I can hide this column. One way is create a view. Any other way will u please tell me?
Re: Hiding a Field. [message #245596 is a reply to message #245593] Mon, 18 June 2007 03:33 Go to previous messageGo to next message
Michel Cadot
Messages: 68722
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
I don't know if "u" is registered here so I will answer for him.

The best way is view.
Otherwise there is FGAC in 10g that allows you to hide the value in the column (not the column itself).
And, of course, encryption.

Regards
Michel

Re: Hiding a Field. [message #245601 is a reply to message #245596] Mon, 18 June 2007 03:43 Go to previous messageGo to next message
Arju
Messages: 1554
Registered: June 2007
Location: Dhaka,Bangladesh. Mobile:...
Senior Member

Michel Cadot wrote on Mon, 18 June 2007 14:33
I don't know if "u" is registered here so I will answer for him.






Sorry, But by u(YOU) I wanted to mention you michel.
Re: Hiding a Field. [message #245700 is a reply to message #245601] Mon, 18 June 2007 10:09 Go to previous messageGo to next message
DreamzZ
Messages: 1666
Registered: May 2007
Location: Dreamzland
Senior Member
Encrypting Sensitive Data

http://www.databasejournal.com/features/oracle/article.php/3649956
Re: Hiding a Field. [message #246534 is a reply to message #245593] Thu, 21 June 2007 04:15 Go to previous messageGo to next message
lars3006
Messages: 9
Registered: November 2006
Junior Member
IMO, the best option would be storing the password's MD5 hashcode instead of the plain text password.

Lars
Re: Hiding a Field. [message #246538 is a reply to message #246534] Thu, 21 June 2007 04:21 Go to previous messageGo to next message
Michel Cadot
Messages: 68722
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
I don't think this is the best option.

Regards
Michel
Re: Hiding a Field. [message #246596 is a reply to message #245593] Thu, 21 June 2007 07:32 Go to previous messageGo to next message
lars3006
Messages: 9
Registered: November 2006
Junior Member
OK. Let's assume the following use case: An application server's login module performes user authentication based on user credentials that reside in a database table.

PRO plain passwords:
+ DBA can read all user passwords (good for DBA)
+ Easy to develop, no algorithms required.

PRO hashcode:
+ DBA can't read passwords (good for users).
+ Plain text passwords never go through the network on password check.
+ Harder to get hold of user passwords for attackers (It's implossible to deduce a password from its hash code).

Am I missing something?

Lars
Re: Hiding a Field. [message #246597 is a reply to message #246596] Thu, 21 June 2007 07:39 Go to previous messageGo to next message
Michel Cadot
Messages: 68722
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
Do you talk about hashing in the application or in Oracle?

You don't talk about:
- Performances
- Transparency, the application is already written

So it depends on the current situation and what is the final goals (hide from who?).

Regards
Michel
Re: Hiding a Field. [message #246608 is a reply to message #245593] Thu, 21 June 2007 08:01 Go to previous messageGo to next message
lars3006
Messages: 9
Registered: November 2006
Junior Member
I agree that it depends on the use case which solution is appropriate.

In my assumption the application (server)'s login module calculated the hash code based on the information provided by the user.
When a user changes its password the application calculated the new hashcode before updating the corresponding database entry.

As to performance: How many users login per second? Let's assume 100. I would estimate that common server hardware could calulate thousands of hash codes in a second.

As to transparency: I admit that there is bit more programming effort required. There are libraries in virtually any programming language though (e.g. JCE).

Lars
Re: Hiding a Field. [message #246612 is a reply to message #246608] Thu, 21 June 2007 08:11 Go to previous message
Michel Cadot
Messages: 68722
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
Quote:
In my assumption the application (server)'s login module calculated the hash code based on the information provided by the user.
When a user changes its password the application calculated the new hashcode before updating the corresponding database entry

It's a good choice if you have an application to wrote.
Now does the OP application already written and does he want a solution on top of it or does he have to write it?
This is the core question.

Regards
Michel
Previous Topic: Oracle Label Security in J2EE?
Next Topic: how to view object granted in a Role
Goto Forum:
  


Current Time: Wed Dec 11 19:46:32 CST 2024