| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: compare user/passwords
Hi
You can only use DBMS_OBFUSCATION_TOOLKIT if the version of Oracle you are on is high enough, oracle 8.1.6 or better 8.1.7 for triple DES. As i understand this package is limited to single DES (56) and triple DES (168). single DES is considered weak so the only real option with this package is triple DES.
Both of these options are still not good for encrypting passwords as they are symetrical algorithms, that is you can encrypt and decrypt using the same key. They key is the issue here. If you use this package then you need to hide the key. If an attacker can find the key then he can use the same package in your database to get all of your passwords. Hiding the key is a major problem in itself. You can store outside of the database, in an O/S file, hidden somewhere inocuous in the database say in the middle of customer records, break it up into peices or store in another database, the choices are endless, but you can usually find fault in them.
You may be better to use a public key algorithm and write in C. The key can be better hidden broken up and hidden in a binary executable than hidden in a database.
I would also consider not using a symetrical algorithm like DES or 3DES so the passwords cannot be decrypted if the key is found.
Beware of DBMS_RANDOM as well as i seem to remember reading somewhere using it to generate a key is not a good idea as there was some weakness issue with it.
There are also endian issues with DBMS_OBFUSCATION_TOOLKIT, if the data is encrypted on an intel box then it cannot be decrypted on sparc. Intel is little endian and sparc big endian.
just some thoughts
regards
Pete Finnigan
www.pentest-limited.com
In article <u3d4tdwex.fsf_at_us.oracle.com>, Rick Wessman
<Rick.Wessman_at_oracle.com> writes
>Hi:
>
>You cause the DBMS_OBFUSCATION_TOOLKIT package to encrypt them. It's not the
>same encryption method as that which is used to encrypt Oracle passwords (that
>method is proprietary), but it works just fine.
>
> Rick
>
>Dorian Szekely <enwass_at_web.de> writes:
>
>> Hi,
>>
>>
>> i program a web application connected with oracle and i will store some
>> passwords in an user_table. are there any function to encrypt such passwords?
>....
>> like in the sys.user$ table?
>>
>>
>> greetings
>>
>>
>> Dorian
>> --
>> __________________________________________________________
>> News suchen, lesen, schreiben mit http://newsgroups.web.de
>
-- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan_at_pentest-limited.com www.pentest-limited.comReceived on Tue Oct 09 2001 - 05:21:08 CDT
 |
 |