Mark C. Stock wrote:
> "DA Morgan" <damorgan_at_psoug.org> wrote in message
> news:1123022760.427191_at_yasure...
>
>>Nicolas Bronke wrote:
>>
>>>I am searching for a special security problem and need a tip.
>>>
>>>In our application the oracle-user get at runtime a special role assigned
>>>which is password protected. The normal user should not know this role
>>>password.
>>>Until now we are using an special password inside of our application
>>>(delphi and jsp) where we are setting the none default role to the user
>>>after connecting. But we would like to make the password more flexible.
>>>That means the customer DBA should be able to change the password.
>>>
>>>Now we first thought about a password file alternative to a special
>>>password table inside of oracle.meanwhile I am thinking the second
>>>solution is the best, but where we should now implement the algorithym
>>>for de and encrypting. Using the Oracle package functions has it charme,
>>>but then the user can also access to the decryption algorithm and
>>>therefore he could find out the password.
>>>
>>>Now, does there another way else to implement the algorithm inside of our
>>>application?
>>>
>>>Thank you for helpful hints.
>>>
>>>Regards
>>>Nicolas
>>
>>Put your decryption into a stored procedure and use the WRAP utility to
>>obfuscate the code.
>>
>>www.psoug.org
>>click on Morgan's Library
>>click on WRAP
>>--
>>Daniel A. Morgan
>>http://www.psoug.org
>>damorgan_at_x.washington.edu
>>(replace x with u to respond)
>
>
> daniel,
>
> what version of wrap is it that first obfuscates the string literals? prior
> to that version, the unencrypted password would be pretty easy to pull out
> of the wrapped code.
>
> ++ mcs
10g but there are workarounds going all the way back.
For example:
DECLARE
x VARCHAR2(20) := 'PWD';
BEGIN
SELECT x || ' fooled you ' || x
INTO x
FROM dual;
END;
/
Just takes a bit of creativity.
--
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)
Received on Tue Aug 02 2005 - 18:37:31 CDT
