Re: Question re security

From: Nuno Souto <dbvision_at_iinet.net.au>
Date: Tue, 21 Jan 2014 22:52:11 +1100
Message-ID: <52DE5F6B.6060904_at_iinet.net.au>



Thanks a lot for the detail, David.
Very interesting that the password is not sent as clear text by default anymore.
Excellent stuff. I'll definitely keep it in mind.
-- 
Cheers
Nuno Souto
dbvision_at_iinet.net.au


On 21/01/2014 1:32 PM, david_at_databasesecurity.com wrote:

> Here you go:
>
> The server takes the supplied username and checks if it is a valid
> user. If it is not the server sends a "login denied" error to the
> client. We'll come back to this shortly. If the username does exist
> then the server extracts the user's password hash from the database.
> The server uses this hash to create a secret number. The secret number
> is created as follows: the server calls the slgdt() function in the
> orageneric library. This function essentially gets the system time.
> The minutes, hours, milliseconds and second, all stored as a WORD, are
> joined to form the 8 bytes of "text" to be encrypted. The first 4
> bytes of the key to be used in the encryption is the minutes and hours
> xored with the last four bytes of the user's hex password hash; the
> last four bytes of the key are made up from the milliseconds and the
> seconds xored with the first 4 bytes of the user's hex password hash.
> This key is used to encrypt the text by calling the kzsrenc() function
> in the oracommon library. This function basically performs DES key
> scheduling using the lncgks() function and then uses the lncecb()
> function to output the cipher text using DES in ECB mode.
>
... -- http://www.freelists.org/webpage/oracle-l
Received on Tue Jan 21 2014 - 12:52:11 CET

Original text of this message