Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: ops$/w2k/"secure" connections question

RE: ops$/w2k/"secure" connections question

From: Koivu, Lisa <lisa.koivu_at_efairfield.com>
Date: Fri, 17 Aug 2001 16:52:03 -0700
Message-ID: <F001.0036FF2C.20010817165024@fatcity.com> 









Thanks to Patrice, Paul and Eric for your responses.  I guess I'm not all that concerned about it.  It just seemed like it didn't quite make sense. 



I remember reading that excerpt about Oracle Password Protocol in the 8.1.6 doco as well.  




If anyone REALLY wants to hack into my Business Objects repository database... go right ahead!  I'm armed with two types of backups :)



Have a great weekend all.


Lisa





-----Original Message-----


From: Paul Drake


To: Multiple recipients of list ORACLE-L
Sent: 8/17/01 5:45 PM


Subject: Re: ops$/w2k/"secure" connections question






eric harrington wrote:


> 

> I must be missing something.  I have Oracle running without any

additional


> password security setup and the Oracle user passwords are encrypted.

I was


> checking an OCI login and SQL*Plus connection.  I have an Oracle white

paper


> that discusses this: Client/Server Authentication, Part A32479, April

1995.


> Excerpt follows (my tests confirmed what is indicated below - I had

some


> inconsistency with 7.x but in 8.x and higher this assertion is

correct).


> 

> Quote: "The Oracle Password Protocol provides security for

client-server and


> server-server password communication by encrypting user passwords

passed


> over a network. The Oracle Password Protocol uses a session key valid

for a


> single database connection attempt to encrypt the user's password.

Each


> connection attempt uses a separate key for encryption, making the

encryption


> more difficult to decipher. After the key-encrypted password is passed

to


> the server, the server decrypts it, then re-encrypts it using a Data

> Encryption Standard (DES) based one-way encryption algorithm and

compares it


> with the password stored in the database. If they match, the user

> successfully connects to the database. The Oracle Password Protocol is

used


> to encrypt all passwords upon an attempted connection - whether local

> connection, client to

> server, or server to server."

> 





Maybe that's why you have to check the box (on Technet before
downloading) saying that you won't ship the software off to Libya - as
it is classified as munitions.




Paul

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Paul Drake
  INET: paled_at_home.com


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Aug 17 2001 - 18:52:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US