| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Passwords and authentication
Raj,
My first question will be how you
would want to pass the encrypted password. sqlplus
<username>/<encyptedpass>? But won't the encrypted password be known
before making the connection? If so, then the user who will encrypt the password
will also know how to decrypt them. What's the advantage in doing
that?
Are you concerned someone sniffing the network
uncovers a clear password? If so, have you considered network security with
password encryption by Oracle Net?
If that is not the concern but rather you don't
want the users to know the real password, here is a solution you might be
interested. It's part of a elaborate application security design. Please read on
if you are interested.
You would have user called SECUSER with only table
APP_USERS. The table has two columns - APP_USER and APP_PASS, in encrypted
manner, with Triple DES Encryption. The user also has one function -
check_app_password, which accepts two parameters - the userid and the password
and returns a string. The return value is YES is the password supplied is
correct and NO, if it isn't. It does not shw the correct password, ever; just
shows if the supplied password is correct or not. This function is defined as
DEFINER rights. All users get an execute privilege on this function, nothing
else on the rest of the objects of the SECUSER user.
Inside the function, the password is retrieved from
the table, decrypted with the key inside the procedure and matched with the
supplied one. Another function is provided to encrypt the password using teh
same key. For more ecurity, the userid and password combination can encrypted,
not just the password. If you want I can give you the code for the
functions.
When the app user connects, the connection is done
through a generic id, that, after the conenction, validates the password using
the function and authenticates the user. If the password is not correct, the
user is booted out.
Now comes other issues - fine grained access
control and fine grained auditing. These features need to have a sepcific named
database user. However, that can be easily fixed by setting up an application
context and passing the app_user value to a context attribute. This attribute
can now be tracked, rather than the userid.
Hope this helps.
Arup Nanda
<A
href="http://www.proligence.com">www.proligence.com
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
Sent: Thursday, June 19, 2003 9:19
AM
Subject: Passwords and
authentication
Is it possible to connect to database using
encrypted passwords? Using sqlplus?
Thanks <FONT face="Courier New"
size=2>Raj <FONT face="Courier New"
size=2>--------------------------------------------------------------------------------Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this
 |
 |