RE: Passwords and authentication

From: Jamadagni, Rajendra <Rajendra.Jamadagni_at_espn.com>
Date: Thu, 19 Jun 2003 11:33:49 -0700
Message-ID: <F001.005B5596.20030619111815@fatcity.com>

<FONT face="Courier New" color=#0000ff

size=2>Label Security = $$$$$$$$$$$$$$$$

<FONT face="Courier New" color=#0000ff

size=2> 
<FONT face="Courier New" color=#0000ff

size=2>Sometimes we need to compile forms against production instance (please don't ask) to resolve some really stupid issues. When compiling, the form has to be compiled with schema owner (again don't ask). As the production schema are locked down, we need a way to connect to compile. I do not want to set-up an elaborate scheme as mentioned by Arup, because this will _NOT_ be a regular feature.
<FONT face="Courier New" color=#0000ff

size=2> 
<FONT face="Courier New" color=#0000ff

size=2>This all came into picture because the new release mechanism that we are testing ... you check in a form into PVCS, as it gets promoted to R_F_P, the DBAs would check it out, compile it and release it. And all three processes will be managed by event triggers in PVCS. The main use of using encrypted connection to connect to db is to compile forms and reports (from windows platform).
<FONT face="Courier New" color=#0000ff

size=2> 
<FONT face="Courier New" color=#0000ff

size=2>Ok well, seems like a bit of impossible task to me ... to connect using the encrypted value from dba_users view.
<FONT face="Courier New" color=#0000ff

size=2>Thanks for the ideas though ...
<FONT face="Courier New" color=#0000ff

size=2>Raj
<FONT face="Courier New"

size=2>-------------------------------------------------------------------------------- 

Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email
are strictly personal. QOTD: Any clod
can have facts, having an opinion is an art !

  <FONT face=Tahoma
  size=2>-----Original Message-----From: Gogala, Mladen   [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 12:45   PMTo: Multiple recipients of list ORACLE-LSubject: RE:   Passwords and authentication
  <SPAN
  class=375194415-19062003>There is also label security option which is present   on Enterprise Edition CD. That would
  <SPAN
  class=375194415-19062003>alleviate the need for manual encryption because the   table cannot be seen unless there is
  <SPAN
  class=375194415-19062003>sufficient security clearance. Also, logging in from   SQL*Plus can be disabled from the USER_PRODUCT_PROFILE. Connected to that, is   anybody on this list using label
  <SPAN
  class=375194415-19062003>security? Does anybody have experience with it? Arup,   you are writing a book about security   in
  Oracle 9.2  and I hope that you will cover label   security.
   
  Mladen Gogala <FONT face=Arial
  size=2>Oracle DBA Phone:(203)
  459-6855 Email:[EMAIL PROTECTED]   

    <FONT face=Tahoma
    size=2>-----Original Message-----From: Arup Nanda     [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 12:15     PMTo: Multiple recipients of list ORACLE-LSubject: Re:     Passwords and authentication
    Raj,
     
    My first question will be how you
    would want to pass the encrypted password. sqlplus     <username>/<encyptedpass>? But won't the encrypted password be     known before making the connection? If so, then the user who will encrypt     the password will also know how to decrypt them. What's the advantage in     doing that?
     
    Are you concerned someone sniffing the network     uncovers a clear password? If so, have you considered network security with     password encryption by Oracle Net?
     
    If that is not the concern but rather you don't     want the users to know the real password, here is a solution you might be     interested. It's part of a elaborate application security design. Please     read on if you are interested.
     
    You would have user called SECUSER with only     table APP_USERS. The table has two columns - APP_USER and APP_PASS, in     encrypted manner, with Triple DES Encryption. The user also has one function

• check_app_password, which accepts two parameters - the userid and the password and returns a string. The return value is YES is the password supplied is correct and NO, if it isn't. It does not shw the correct password, ever; just shows if the supplied password is correct or not. This function is defined as DEFINER rights. All users get an execute privilege on this function, nothing else on the rest of the objects of the SECUSER user.   Inside the function, the password is retrieved from the table, decrypted with the key inside the procedure and matched with the supplied one. Another function is provided to encrypt the password using teh same key. For more ecurity, the userid and password combination can encrypted, not just the password. If you want I can give you the code for the functions.   When the app user connects, the connection is done through a generic id, that, after the conenction, validates the password using the function and authenticates the user. If the password is not correct, the user is booted out.   Now comes other issues - fine grained access control and fine grained auditing. These features need to have a sepcific named database user. However, that can be easily fixed by setting up an application context and passing the app_user value to a context attribute. This attribute can now be tracked, rather than the userid.   Hope this helps.   Arup Nanda <A href="http://www.proligence.com">www.proligence.com <BLOCKQUOTE dir=ltr style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  • Original Message ----- <DIV style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From: <A [EMAIL PROTECTED] href="mailto:[EMAIL PROTECTED]">Jamadagni, Rajendra To: <A [EMAIL PROTECTED] href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L Sent: Thursday, June 19, 2003 9:19 AM Subject: Passwords and authentication

      Is it possible to connect to database 
      using encrypted passwords? Using sqlplus? 
      Thanks <FONT 
      face="Courier New" size=2>Raj <FONT face="Courier New" 
      size=2>-------------------------------------------------------------------------------- 
      Rajendra dot Jamadagni at nospamespn 
      dot com All Views expressed in 
      this email are strictly personal. <FONT face="Courier New" 
      size=2>QOTD: Any clod can have facts, having an opinion is an art ! 
      
********************************************************************This e-mail 

message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank

you.*********************************************************************2

Received on Thu Jun 19 2003 - 13:33:49 CDT