Re: Question re security

From: Nuno Souto <dbvision_at_iinet.net.au>
Date: Sat, 18 Jan 2014 15:28:51 +1100
Message-ID: <52DA0303.4080108_at_iinet.net.au>



On 17/01/2014 8:19 PM, Fergal Taheny wrote:

> This is something I have wondered about. The oracle passwords are
> envcrypted during transmission by default with standard sqlnet setup.
> I checked this with a packet sniffer once to confirm this but I have
> wondered if this encryption is reliable. No pre-sharing of any keys
> has to be done before a client can connect to a db. So as part of the
> authentication does the server send the client a key which the client
> uses to encrypt the password? If this is the case the isn't this open
> to a man in the middle attack?
>
> Would be interested to hear people opinions on this.
>

Not sure about that. In 9ir2, I could use one of the standard sniffers included in Suse Linux to fish out all Oracle pwds at login time on 1521. Haven't tried since then, so things might have changed. Used to be that the pwd was sent as is, and then encrypted after reaching the target server to be compared with the saved encrypted one in sys.user$. Likely not anymore, but I'd also appreciate confirmation of that.

-- 
Cheers
Nuno Souto
dbvision_at_iinet.net.au

--
http://www.freelists.org/webpage/oracle-l
Received on Sat Jan 18 2014 - 05:28:51 CET

Original text of this message