Re: ROLE PW Encryption

"DA Morgan" <damorgan_at_psoug.org> wrote in message news:1123022760.427191_at_yasure...
> Nicolas Bronke wrote:
>> I am searching for a special security problem and need a tip.
>>
>> In our application the oracle-user get at runtime a special role assigned
>> which is password protected. The normal user should not know this role
>> password.
>> Until now we are using an special password inside of our application
>> (delphi and jsp) where we are setting the none default role to the user
>> after connecting. But we would like to make the password more flexible.
>> That means the customer DBA should be able to change the password.
>>
>> Now we first thought about a password file alternative to a special
>> password table inside of oracle.meanwhile I am thinking the second
>> solution is the best, but where we should now implement the algorithym
>> for de and encrypting. Using the Oracle package functions has it charme,
>> but then the user can also access to the decryption algorithm and
>> therefore he could find out the password.
>>
>> Now, does there another way else to implement the algorithm inside of our
>> application?
>>
>> Thank you for helpful hints.
>>
>> Regards
>> Nicolas
>
> Put your decryption into a stored procedure and use the WRAP utility to
> obfuscate the code.
>
> www.psoug.org
> click on Morgan's Library
> click on WRAP
> --
> Daniel A. Morgan
> http://www.psoug.org
> damorgan_at_x.washington.edu
> (replace x with u to respond)

daniel,

what version of wrap is it that first obfuscates the string literals? prior to that version, the unencrypted password would be pretty easy to pull out of the wrapped code.

++ mcs Received on Tue Aug 02 2005 - 18:20:30 CDT