Re: Question re security
Date: Mon, 20 Jan 2014 01:11:57 -0000
Message-ID: <A0BB4C615FC14EFB9CFBB3195C57B3A1_at_NAUTILUS>
The hash has never been passed over the wire - I describe in detail how authentication works in the Oracle Hacker's Handbook in Chapter 4. Here's an online copy:
http://books.google.com.au/books?id=cDy2_QoQplEC&lpg=PA43&ots=5tygnUMzKQ&dq=oracle%20authentication%20process%20litchfield&pg=PA43#v=onepage&q=oracle%20authentication%20process%20litchfield&f=false
HTH,
David
-----Original Message-----
From: Nuno Souto
Sent: Saturday, January 18, 2014 4:28 AM
Cc: oracle-l-freelists
Subject: Re: Question re security
On 17/01/2014 8:19 PM, Fergal Taheny wrote:
> This is something I have wondered about. The oracle passwords are
> envcrypted during transmission by default with standard sqlnet setup. I
> checked this with a packet sniffer once to confirm this but I have
> wondered if this encryption is reliable. No pre-sharing of any keys has to
> be done before a client can connect to a db. So as part of the
> authentication does the server send the client a key which the client uses
> to encrypt the password? If this is the case the isn't this open to a man
> in the middle attack?
>
> Would be interested to hear people opinions on this.
>
Not sure about that. In 9ir2, I could use one of the standard sniffers included in Suse Linux to fish out all Oracle pwds at login time on 1521. Haven't tried since then, so things might have changed. Used to be that the pwd was sent as is, and then encrypted after reaching the target server to be compared with the saved encrypted one in sys.user$. Likely not anymore, but I'd also appreciate confirmation of that.
-- Cheers Nuno Souto dbvision_at_iinet.net.au -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-lReceived on Mon Jan 20 2014 - 02:11:57 CET