Re: Oracle network authentication encryption?

Sybrand Bakker wrote:

>>I'm interested in the algorithm used by Oracle 9i/10g to encrypt client
>>logons over the network (O3LOGON).

> 1 Please do not crosspost, especially not to a group
> (comp.databases.oracle) that has been split up and abandoned many
> years ago and isn't carried by many providers. Also do not crosspost
> as most regulars monitor all groups, so you are only wasting bandwith

Check.

>>What is it?

> 2 It is some sort of DES encryption.

How do you know/can you give some more details? Unlike Oracle 8/8i, version 9i and 10g show 16 byte hexstrings in trafficdumps of a ODBC logon. So I think that isn't DES-alike (DES should typically show 8 bytes) until there's a good explanation. And that's what I'm looking for...

>>Is it safe?

> 3 According to some people it is not safe,

Can you give me a pointer on which grounds it should be unsafe and because of what? Perhaps it can help me!

>but then again I notice
> many firms don't have any security at all (ie password=username),
> being forced into that by their application vendors

Yeps, that's what I see in the field :(

>>Can I change it to possibly better algorithms/longer keylengths?

> 4 Obviously you can not change it.

Again; how do you know? I cannot find info regarding this at the Oracle site.

Thanks for your reply,

Jeroen Received on Sun Nov 13 2005 - 17:43:34 CST