Re: Oracle password encryption algorithm?

From: Bob Baldwin <baldwin_at_lat.com>
Date: Thu, 8 Jul 1993 21:49:12 GMT
Message-ID: <C9v8M1.FMC_at_lat.com>

Dave Trahan wants to know the Oracle password algorithm so he can check for weak passwords. When I was the project lead for Trusted Oracle I designed the new password algorithm that is used in versions 6, 7, and later. I presented the details at a Bay Area Trusted System Symposium so I am not revealing any information that is not already in the puiblic domain. Here are some of the details as I remember them.

Design Goals:
1. Must work with all terminals.

===> Some terminals do not have lowercase letters, so

        the password algorithm ignores differences between
	upper and lower case!!!  The passwords "Tiger"
	and "tiger" map to the same value.

2. Must support usernames and passwords that include non-ascii

characters.

	The username and password are converted to
	16 bit per character representation before any processing
	is done.  Ascii characters have the high byte zeroed.

3. If different users have the same password, then the one-way

hash value (encrypted value) for the passwords will be different.

4. Long passwords are supported.

I believe that usernames and passwords can both be 40 chars.

Implementation:
1. Upshift password, convert to 16bits per character, and place

result left justified in an 80 byte array of zeros.

2. Using DES in cipher block feedback mode compute the CBC checksum for

the 80 byte password array using a fixed secret password (you can find it in the code if you look hard enough). The result is used as the key for the next step ignoring parity bits to produce the a 56 bit key from the CBC.

3. Upshift password, and convert to 16bits per character, and place

result left justified in an 80 byte array of zeros.

4. Using DES in cipher block feedback mode compute the CBC checksum

for the 80 byte username array using the key generate in step 2.

5. Convert the CBC checksum from step 4 into a printable string with

the obvious algorithm.

		--Bob Baldwin
Director of Development			We provide the best solutions
Los Altos Technologies, Inc.		to our customers key security
baldwin_at_lat.com				problems.

Received on Thu Jul 08 1993 - 23:49:12 CEST

This message: [ Message body ]
Next message: Hal Berenson: "Re: Oracle threatens to sue Standish over an article"
Previous message: Paul Knights: "TKPROF and Trace Files"
Maybe in reply to: Ruth Larson: "Re: Oracle password encryption algorithm?"
Next in thread: Hal Berenson: "Re: Oracle threatens to sue Standish over an article"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message