The problem is that if the decryption and set role were done inside a database package, then that means that the Oracle database user needs execute privilege on the package, and so the user could call the package from inside SQL*Plus on the client.
At my old company they were talking about encrypting the network traffic but I left before they implemented that, and I don't know if they ever did.
> -----Original Message-----
> From: Pete Finnigan [mailto:oracle_list_at_peterfinnigan.demon.co.uk]
>
> It sounds like the encrypted password is read by the client? and
> decrypted on the client? or in the database as a package
> procedure?. If
> it was decrypted in the client and then the set role command
> was sent to
> the database the password could be read from the network with a tool
> such as snoop on Unix or using SQL*Net support level trace as
> that shows
> packet contents in the SQL trace. The latter could be setup
> by a user on
> his PC attempt a logon to the database and then read the password from
> the trace file.
>
> If the decryption and set role were to be done in a package and the
> password is not passed over the network then its better. You
> could also
> encrypt the network traffic of course. But as you say there is still a
> risk from someone discovering the encryption scheme.
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Jacques Kilchoer
INET: Jacques.Kilchoer_at_quest.com
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Thu Jul 10 2003 - 16:44:27 CDT
