QUESTIONS & ANSWERS
-------------------
1. Is my password encrypted when I logon?
Answer
------
Yes, the Oracle password protocol provides security for client-server and
server-server password communication by encrypting passwords passed over a
network, . The Oracle password protocol uses a session key, valid for a single
database connection attempt to encrypt the user's password. Each connection
attempt uses a separate key for encryption, making the encryption more
difficult to decipher.
As of version 10.2 password encryption during session authentication is based
on the new AES 128 standard except for JDBC thin clients that will support
AES as of 11g . Older clients use a modified Data Encryption Standard (DES)
algorithm, the best algorithm available in both the server and client is
negotiated during the session handshake for reasons of backward compatibility.
2. What about parameters ora_encrypt_login and dblink_encrypt_login ?
Do not use these parameters as of version 9.2 as they have become obsolete,
some documentation may refer to them as being necessary, but the problems
with the clear text passwords were all fixed as of Oracle version 7.1 .
Password during a logon is ALWAYS encrypted. We do this since Oracle 7.1. the
parameters addressed the issue that if a 7.1 client connected to a 7.0 server
which did no credential encryption that by default a second unencrypted transfer
was done. To specify if this second unencrypted transfer should happen or not we
had ora_encrypt_login for login by a client, dblink_encrypt_login for login by
using a database link. So the parameters today would make sense only
if a newer client connects to a 7.0 database. A 9.2 client cannot even connect
to a 7.3 and lower database, so the parameters are not needed. The second
unencrypted transfer does not happen.
3. What encryption does Oracle use to store the passwords?
After the key-encrypted password is passed to the server, the server decrypts it,
then re-encrypts it using a hashing algorithm and then compares it with the password
stored in the data dictionary table USER$. If they match, the user successfully
connects to the database. Before 11g a proprietary Data Encryption Standard (DES)
based one-way (irreversible) algorithm was used. In 11g the case insensitive
password hashing algorithm was replaced by the 160 bit SHA-1 hashing algorithm in
better alignment with industry standards.
goal:- How To Ensure Oracle Encrypts Passwords Transferred from a Remote Client
fix:
Password's sent over Net8 are encrypted by default. Password encryption was
introduced in release 7.1. Prior to Oracle 7.1 passwords could be passed in
clear text. To disable this functionality set ORA_ENCRYPT_LOGIN=true.
Set ora_encrypt_login=true :
- MS Windows put an entry in the registry.
- UNIX boxes create an environment variable.
These parameters, ora_encrypt_login & dblink_encrypt_login are not
applicable for 9i onwards.
So, setting this parameter for 9i onwards is not supported.
The above information is collected from oracle metalink.
Saturday, January 9, 2010
How to encrypt password when connecting to the server???
Labels:
encryption,
excrypt,
ora encrypt login,
oracle
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment