Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Passwords and authentication

Re: Passwords and authentication

From: Arup Nanda <>
Date: Thu, 19 Jun 2003 11:44:49 -0700
Message-ID: <>

Thanks for bringing it up. In my book I will cover the VPD (vitual private database) in detail and will explain how to use the application user model into making a secure authentication and authorization model. Label security is nothing but a specialized tool based on the more general VPD. Most security conscious organizations will probably like VPD more as it provides more flexibility in defining who sees what? OLS is narrower in focus, a carry over from the old CIA project where each record in a table was treated like a file with a security level and persons were assigned cklearance levels. The check was whether user's clearance is greater than or equal to the record's (or the docuemnts) clearance. The authorization requirements were simple.
Most real life system will most likely have different and more complex requirements, though. Instead of plain simple levels, your records will have to be verified against a lot of parameters. For instance, in your database (Oxford Health), you may have a senior business analyst (John Napoli) with authorization to see claims that are (i) from a list of providers he is approved to see, (ii) below $10000, (iii) for procedure codes that are not protected by HIPAA's protected health information and perhaps a lot more. This is not as simple as assigning a level to a row, but a rather complicated set of where conditions applied at the runtime. VPD addresses that issue. Along with application context, you will have the toolbox to build a complete iron-clad authentication and authorization system.  
Hope this helps.
Arup Nanda


style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

  href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L   

  Sent: Thursday, June 19, 2003 12:45
  Subject: RE: Passwords and

  class=375194415-19062003>There is also label security option which is present   on Enterprise Edition CD. That would
  class=375194415-19062003>alleviate the need for manual encryption because the   table cannot be seen unless there is
  class=375194415-19062003>sufficient security clearance. Also, logging in from   SQL*Plus can be disabled from the USER_PRODUCT_PROFILE. Connected to that, is   anybody on this list using label
  class=375194415-19062003>security? Does anybody have experience with it? Arup,   you are writing a book about security   in
  Oracle 9.2  and I hope that you will cover label   security.
  Mladen Gogala <FONT face=Arial
  size=2>Oracle DBA Phone:(203)
  459-6855 Email:[EMAIL PROTECTED]   

    <FONT face=Tahoma
    size=2>-----Original Message-----From: Arup Nanda     [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 12:15     PMTo: Multiple recipients of list ORACLE-LSubject: Re:     Passwords and authentication

    My first question will be how you
    would want to pass the encrypted password. sqlplus     <username>/<encyptedpass>? But won't the encrypted password be     known before making the connection? If so, then the user who will encrypt     the password will also know how to decrypt them. What's the advantage in     doing that?

    Are you concerned someone sniffing the network     uncovers a clear password? If so, have you considered network security with     password encryption by Oracle Net?

    If that is not the concern but rather you don't     want the users to know the real password, here is a solution you might be     interested. It's part of a elaborate application security design. Please     read on if you are interested.

    You would have user called SECUSER with only     table APP_USERS. The table has two columns - APP_USER and APP_PASS, in     encrypted manner, with Triple DES Encryption. The user also has one function

      Is it possible to connect to database 
      using encrypted passwords? Using sqlplus? 
      Thanks <FONT 
      face="Courier New" size=2>Raj <FONT face="Courier New" 
      Rajendra dot Jamadagni at nospamespn 
      dot com All Views expressed in 
      this email are strictly personal. <FONT face="Courier New" 
      size=2>QOTD: Any clod can have facts, having an opinion is an art ! 
Received on Thu Jun 19 2003 - 13:44:49 CDT

Original text of this message