OraFAQ Forum: Security » Hiding a Field.

Home » RDBMS Server » Security » Hiding a Field.

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Hiding a Field. [message #245593]

Mon, 18 June 2007 03:30

Arju
Messages: 1554
Registered: June 2007
Location: Dhaka,Bangladesh. Mobile:...

Senior Member

I have a table named login and it has a field password. How I can hide this field. Is there any way that I can hide this column. One way is create a view. Any other way will u please tell me?

Report message to a moderator

Re: Hiding a Field. [message #245596 is a reply to message #245593]

Mon, 18 June 2007 03:33

Michel Cadot
Messages: 68773
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

I don't know if "u" is registered here so I will answer for him.

The best way is view.
Otherwise there is FGAC in 10g that allows you to hide the value in the column (not the column itself).
And, of course, encryption.

Regards
Michel

Report message to a moderator

Re: Hiding a Field. [message #245601 is a reply to message #245596]

Mon, 18 June 2007 03:43

Arju
Messages: 1554
Registered: June 2007
Location: Dhaka,Bangladesh. Mobile:...

Senior Member

Michel Cadot wrote on Mon, 18 June 2007 14:33

I don't know if "u" is registered here so I will answer for him.

Sorry, But by u(YOU) I wanted to mention you michel.

Report message to a moderator

Re: Hiding a Field. [message #245700 is a reply to message #245601]

Mon, 18 June 2007 10:09

DreamzZ
Messages: 1666
Registered: May 2007
Location: Dreamzland

Senior Member

Encrypting Sensitive Data

http://www.databasejournal.com/features/oracle/article.php/3649956

Report message to a moderator

Re: Hiding a Field. [message #246534 is a reply to message #245593]

Thu, 21 June 2007 04:15

lars3006
Messages: 9
Registered: November 2006

Junior Member

IMO, the best option would be storing the password's MD5 hashcode instead of the plain text password.

Lars

Report message to a moderator

Re: Hiding a Field. [message #246538 is a reply to message #246534]

Thu, 21 June 2007 04:21

Michel Cadot
Messages: 68773
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

I don't think this is the best option.

Regards
Michel

Report message to a moderator

Re: Hiding a Field. [message #246596 is a reply to message #245593]

Thu, 21 June 2007 07:32

lars3006
Messages: 9
Registered: November 2006

Junior Member

OK. Let's assume the following use case: An application server's login module performes user authentication based on user credentials that reside in a database table.

PRO plain passwords:
+ DBA can read all user passwords (good for DBA)
+ Easy to develop, no algorithms required.

PRO hashcode:
+ DBA can't read passwords (good for users).
+ Plain text passwords never go through the network on password check.
+ Harder to get hold of user passwords for attackers (It's implossible to deduce a password from its hash code).

Am I missing something?

Lars

Report message to a moderator

Re: Hiding a Field. [message #246597 is a reply to message #246596]

Thu, 21 June 2007 07:39

Michel Cadot
Messages: 68773
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

Do you talk about hashing in the application or in Oracle?

You don't talk about:
- Performances
- Transparency, the application is already written

So it depends on the current situation and what is the final goals (hide from who?).

Regards
Michel

Report message to a moderator

Re: Hiding a Field. [message #246608 is a reply to message #245593]

Thu, 21 June 2007 08:01

lars3006
Messages: 9
Registered: November 2006

Junior Member

I agree that it depends on the use case which solution is appropriate.

In my assumption the application (server)'s login module calculated the hash code based on the information provided by the user.
When a user changes its password the application calculated the new hashcode before updating the corresponding database entry.

As to performance: How many users login per second? Let's assume 100. I would estimate that common server hardware could calulate thousands of hash codes in a second.

As to transparency: I admit that there is bit more programming effort required. There are libraries in virtually any programming language though (e.g. JCE).

Lars

Report message to a moderator

Re: Hiding a Field. [message #246612 is a reply to message #246608]

Thu, 21 June 2007 08:11

Michel Cadot
Messages: 68773
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

Quote:

In my assumption the application (server)'s login module calculated the hash code based on the information provided by the user.
When a user changes its password the application calculated the new hashcode before updating the corresponding database entry

It's a good choice if you have an application to wrote.
Now does the OP application already written and does he want a solution on top of it or does he have to write it?
This is the core question.

Regards
Michel

Report message to a moderator

Previous Topic:	Oracle Label Security in J2EE?
Next Topic:	how to view object granted in a Role

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Dec 18 19:41:57 CST 2025