Re: ROLE PW Encryption

>> Now we first thought about a password file alternative to a special
>> password table inside of oracle.meanwhile I am thinking the second
>> solution is the best, but where we should now implement the algorithym
>> for de and encrypting. Using the Oracle package functions has it charme,
>> but then the user can also access to the decryption algorithm and
>> therefore he could find out the password.
>>
>> Now, does there another way else to implement the algorithm inside of our
>> application?
>>
>
> Put your decryption into a stored procedure and use the WRAP utility to
> obfuscate the code.
>

Meanwhile I believe this cannot work if the crypting algorythm is implemented on oracle side.
In your example, which you written later, the user can read the password because he has to be able to execute this function. But then he is able to set the role. But he should not be able to enable this specific role itself. (set role rolename identified by password)

Therefore I believe, that the cryptedpassword can be stored on the database. But the algorithm for decoding the password should be in the application and not on the database.

I am right?

Regards
Nicolas Received on Wed Aug 03 2005 - 06:30:08 CDT