Newsgroups: comp.databases.oracle,comp.security.misc From: dwing@uh01.colorado.edu (Dan Wing) Subject: Re: Oracle password encryption algorithm?SKIP Message-ID: <0096F1A7.6E0EE220@buckie> Sender: news@colorado.edu (The Daily Planet) Nntp-Posting-Host: buckie.hsc.colorado.edu Reply-To: dwing@uh01.colorado.edu Organization: University of Colorado Hospital Authority, Denver References: <1993Jun30.154324.1@cissys> <1993Jul1.134033.1@cbr.hhcs.gov.au> <1993Jul2.213313.16282@exlog.com>,<1993Jul5.135313.1@hadassah.bitnet> Date: Tue, 6 Jul 1993 23:02:12 GMT Lines: 33 In article <1993Jul5.135313.1@hadassah.bitnet>, gur@hadassah.bitnet writes: >In article <1993Jul2.213313.16282@exlog.com>, lparsons@exlog.com (Lee Parsons) writes: >> In article <1993Jul1.134033.1@cbr.hhcs.gov.au> pihlab@cbr.hhcs.gov.au writes: >>>In article <1993Jun30.154324.1@cissys>, trahan@cissys.read.tasc.com (Dave Trahan) writes: >>>> >>>> Does anyone know what algorithm Oracle uses to encrypt user passwords? >>> >>>Hopefully, only Oracle and it's well guarded. If everyone knew the algorithm >>>then there would be no point in having a password because the encrypted value >>>is stored (visible) in the database and you could run a program to crack >>>anyone's account. > [. . .] > >Just compare the situation with the VMS passwords. >Not only the algorithm is known, but there is even a system service to >encrypt a string using it. However the users authorization file is >inaccessible to unprivileged mortals. The primary strength of the VMS password encryption scheme isn't that the ciphertext is protected from non-privileged users. The primary strength is that the passwords are encrypted with a one-way function; once the data (the password) has been encrypted, it cannot be decrypted into its original form without a brute-force attack. The fact that the file containing the encrypted passwords is unavailable to non-privileged users only prevents a non-privileged user from performing a brute-force attack on the encrypted data. -dan (who knows only a little about most things, and even less about cryptography). -Dan Wing, dwing@uh01.colorado.edu