RE: Passwords and authentication

From: Gogala, Mladen <MGogala_at_oxhp.com>
Date: Thu, 19 Jun 2003 12:16:02 -0700
Message-ID: <F001.005B56B9.20030619115919@fatcity.com>

<SPAN
class=453110019-19062003>Bummer! I was hoping for a commission from Oracle!
 
Mladen Gogala <FONT face=Arial
size=2>Oracle DBA Phone:(203) 459-6855
Email:[EMAIL PROTECTED]

<FONT face=Tahoma

  size=2>-----Original Message-----From: Jamadagni, Rajendra   [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003   3:18 PMTo: Multiple recipients of list ORACLE-LSubject:   RE: Passwords and authentication
<FONT color=#0000ff face="Courier New"

  size=2>Label Security = $$$$$$$$$$$$$$$$

<FONT color=#0000ff face="Courier New"
  size=2> 
<FONT color=#0000ff face="Courier New"
  size=2>Sometimes we need to compile forms against production instance (please   don't ask) to resolve some really stupid issues. When compiling, the form has   to be compiled with schema owner (again don't ask). As the production schema   are locked down, we need a way to connect to compile. I do not want to set-up   an elaborate scheme as mentioned by Arup, because this will _NOT_ be a regular   feature.
<FONT color=#0000ff face="Courier New"
  size=2> 
<FONT color=#0000ff face="Courier New"
  size=2>This all came into picture because the new release mechanism that we   are testing ... you check in a form into PVCS, as it gets promoted to R_F_P,   the DBAs would check it out, compile it and release it. And all three   processes will be managed by event triggers in PVCS. The main use of using   encrypted connection to connect to db is to compile forms and reports (from   windows platform).
<FONT color=#0000ff face="Courier New"
  size=2> 
<FONT color=#0000ff face="Courier New"
  size=2>Ok well, seems like a bit of impossible task to me ... to connect using   the encrypted value from dba_users view.
<FONT color=#0000ff face="Courier New"
  size=2>Thanks for the ideas though ...
<FONT color=#0000ff face="Courier New"
  size=2>Raj
<FONT face="Courier New"

  size=2>-------------------------------------------------------------------------------- 

  Rajendra dot Jamadagni at nospamespn dot   com All Views expressed in this
  email are strictly personal. QOTD:
  Any clod can have facts, having an opinion is an art !   

    <FONT face=Tahoma
    size=2>-----Original Message-----From: Gogala, Mladen     [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 12:45     PMTo: Multiple recipients of list ORACLE-LSubject: RE:     Passwords and authentication
    <SPAN
    class=375194415-19062003>There is also label security option which is     present on Enterprise Edition CD. That would     <SPAN
    class=375194415-19062003>alleviate the need for manual encryption because     the table cannot be seen unless there is     <SPAN
    class=375194415-19062003>sufficient security clearance. Also, logging in     from SQL*Plus can be disabled from the USER_PRODUCT_PROFILE. Connected to     that, is anybody on this list using label     <SPAN
    class=375194415-19062003>security? Does anybody have experience with it?     Arup, you are writing a book about security     in
    Oracle 9.2  and I hope that you will cover label     security.
     
    Mladen Gogala <FONT face=Arial
    size=2>Oracle DBA Phone:(203)
    459-6855 Email:[EMAIL PROTECTED]          

      <FONT face=Tahoma 
      size=2>-----Original Message-----From: Arup Nanda 
      [mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 12:15 
      PMTo: Multiple recipients of list ORACLE-LSubject: 
      Re: Passwords and authentication
      Raj,
       
      My first question will be how you 
      would want to pass the encrypted password. sqlplus 
      <username>/<encyptedpass>? But won't the encrypted password be 
      known before making the connection? If so, then the user who will encrypt 
      the password will also know how to decrypt them. What's the advantage in 
      doing that?
       
      Are you concerned someone sniffing the 
      network uncovers a clear password? If so, have you considered network 
      security with password encryption by Oracle Net?
       
      If that is not the concern but rather you 
      don't want the users to know the real password, here is a solution you 
      might be interested. It's part of a elaborate application security design. 
      Please read on if you are interested.
       
      You would have user called SECUSER with only 
      table APP_USERS. The table has two columns - APP_USER and APP_PASS, in 
      encrypted manner, with Triple DES Encryption. The user also has one 
      function - check_app_password, which accepts two parameters - the userid 
      and the password and returns a string. The return value is YES is the 
      password supplied is correct and NO, if it isn't. It does not shw the 
      correct password, ever; just shows if the supplied password is correct or 
      not. This function is defined as DEFINER rights. All users get an execute 
      privilege on this function, nothing else on the rest of the objects of the 
      SECUSER user.
       
      Inside the function, the password is 
      retrieved from the table, decrypted with the key inside the procedure and 
      matched with the supplied one. Another function is provided to encrypt the 
      password using teh same key. For more ecurity, the userid and password 
      combination can encrypted, not just the password. If you want I can give 
      you the code for the functions.
       
      When the app user connects, the connection is 
      done through a generic id, that, after the conenction, validates the 
      password using the function and authenticates the user. If the password is 
      not correct, the user is booted out.
       
      Now comes other issues - fine grained access 
      control and fine grained auditing. These features need to have a sepcific 
      named database user. However, that can be easily fixed by setting up an 
      application context and passing the app_user value to a context attribute. 
      This attribute can now be tracked, rather than the userid.
       
      Hope this helps.
       
      Arup Nanda
      <A 
      href="http://www.proligence.com">www.proligence.com
      <BLOCKQUOTE dir=ltr 
      style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
        ----- Original Message ----- 
        <DIV 
        style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From: 
        <A href="mailto:[EMAIL PROTECTED]" 
        [EMAIL PROTECTED]>Jamadagni, Rajendra 
        To: <A 
        href="mailto:[EMAIL PROTECTED]" [EMAIL PROTECTED]>Multiple 
        recipients of list ORACLE-L 
        Sent: Thursday, June 19, 2003 9:19 
        AM
        Subject: Passwords and 
        authentication
        
        Is it possible to connect to database 
        using encrypted passwords? Using sqlplus? 
        Thanks <FONT 
        face="Courier New" size=2>Raj <FONT face="Courier New" 
        size=2>-------------------------------------------------------------------------------- 
        Rajendra dot Jamadagni at nospamespn 
        dot com All Views expressed 
        in this email are strictly personal. <FONT face="Courier New" 
        size=2>QOTD: Any clod can have facts, having an opinion is an art 
        ! 

Received on Thu Jun 19 2003 - 14:16:02 CDT