Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Passwords and authentication

RE: Passwords and authentication

From: Gogala, Mladen <>
Date: Thu, 19 Jun 2003 09:56:34 -0700
Message-ID: <>

is also label security option which is present on Enterprise Edition CD. That would
class=375194415-19062003>alleviate the need for manual encryption because the table cannot be seen unless there is
class=375194415-19062003>sufficient security clearance. Also, logging in from SQL*Plus can be disabled from the USER_PRODUCT_PROFILE. Connected to that, is anybody on this list using label
class=375194415-19062003>security? Does anybody have experience with it? Arup, you are writing a book about security
Oracle 9.2  and I hope that you will cover label security.
Mladen Gogala <FONT face=Arial
size=2>Oracle DBA Phone:(203) 459-6855

  <FONT face=Tahoma
  size=2>-----Original Message-----From: Arup Nanda   [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 12:15   PMTo: Multiple recipients of list ORACLE-LSubject: Re:   Passwords and authentication

  My first question will be how you
  would want to pass the encrypted password. sqlplus   <username>/<encyptedpass>? But won't the encrypted password be   known before making the connection? If so, then the user who will encrypt the   password will also know how to decrypt them. What's the advantage in doing   that?

  Are you concerned someone sniffing the network   uncovers a clear password? If so, have you considered network security with   password encryption by Oracle Net?

  If that is not the concern but rather you don't   want the users to know the real password, here is a solution you might be   interested. It's part of a elaborate application security design. Please read   on if you are interested.

  You would have user called SECUSER with only   table APP_USERS. The table has two columns - APP_USER and APP_PASS, in   encrypted manner, with Triple DES Encryption. The user also has one function -   check_app_password, which accepts two parameters - the userid and the password   and returns a string. The return value is YES is the password supplied is   correct and NO, if it isn't. It does not shw the correct password, ever; just   shows if the supplied password is correct or not. This function is defined as   DEFINER rights. All users get an execute privilege on this function, nothing   else on the rest of the objects of the SECUSER user.

  Inside the function, the password is retrieved   from the table, decrypted with the key inside the procedure and matched with   the supplied one. Another function is provided to encrypt the password using   teh same key. For more ecurity, the userid and password combination can   encrypted, not just the password. If you want I can give you the code for the   functions.

  When the app user connects, the connection is   done through a generic id, that, after the conenction, validates the password   using the function and authenticates the user. If the password is not correct,   the user is booted out.

  Now comes other issues - fine grained access   control and fine grained auditing. These features need to have a sepcific   named database user. However, that can be easily fixed by setting up an   application context and passing the app_user value to a context attribute.   This attribute can now be tracked, rather than the userid.

  Hope this helps.

  Arup Nanda
  href="">   <BLOCKQUOTE dir=ltr
  style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">

    Is it possible to connect to database     using encrypted passwords? Using sqlplus?     Thanks <FONT
    face="Courier New" size=2>Raj <FONT face="Courier New"

    Rajendra dot Jamadagni at nospamespn dot     com All Views expressed in this
    email are strictly personal. <FONT face="Courier New"     size=2>QOTD: Any clod can have facts, having an opinion is an art !      Received on Thu Jun 19 2003 - 11:56:34 CDT

Original text of this message