Tarek, October 06, 2003 - 11:39 am UTC
As far as i know the password is not encrypted when a user try to connect to the database using net8 layer, right?
I know that to encrypt network connection the Advanced Security "option" of enterprise edition should be used.
Am i wrong?
Is it enough to put ORA_ENCRYPT_LOGIN = True in the client machine?
So what do you mean with
"Today, passwords are encrypted by default"
When are they encrypted by default?
Thanks
Tarek
October 06, 2003 - 1:33 pm UTC
yes it is.
passwords are encrypted BY DEFAULT using net8 -- meaning, you need to do nothing, install no additional software, just use it out of the box and the passwords are transmitted encrypted.
encryption
Spock, October 06, 2003 - 1:45 pm UTC
A reader, October 06, 2003 - 1:55 pm UTC
Tom, will the above really encrypt the connection between client and sever ? Is it part of 9ir2 EE ?
BTW:
Gee, Dr. Spock... It's not Tarek, it's Sarek.
And "The force be with you" is from Star Wars, not Star Trek. The right greeting is "Live long and prosper!"
October 06, 2003 - 2:09 pm UTC
Dr. Spock wrote books on rearing human children. My mom used to read his stuff.
Mr. Spock -- he might have known Sarek :)
you need to do NOTHING, nada, nunca, to get the passwords encrypted. It just happens, has happened for many many many years.
You need to do NOTHING
A reader, October 06, 2003 - 2:22 pm UTC
Ok, Capitain Tom ;)))))))
The parameters described by MISTER Spock are valid for the entire connection, right ?
Are they shipped with 9ir2 EE, after all -- or are they an "option" (bought separately), as they used to be part of the Advanced Networking Option ?
October 06, 2003 - 2:39 pm UTC
those parameters are for the Advanced Security Option (ASO)
they do it for the entire connection -- all data, not just the password.
not shipped with EE, ASO is a for fee option.
Was there ever a cleartext retry option?
Justin, October 07, 2003 - 5:53 pm UTC
Since Oracle 8 clients can communicate with an Oracle 7 database, is or was there a fallback path in the Net8 code where it would try with an unencrypted password, or did all versions of Oracle 7 accept the default Oracle 8 encrypted passwords?
October 07, 2003 - 6:24 pm UTC
well, only 7.3 was supported and it supported encrypted passwords (its been a long long time..)
This was implemented in Oracle7 Release 7.1. If you use an old tool (i.e. a tool created with a prior version of the RDBMS libraries) the login routines will fall back to the old "send the password in clear text" mode. To prevent users from accidentally revealing their passwords in this way, the dba can set the ora_encrypt_login and dblink_encrypt_login variables to true. If this is done and the user attempts to login with an old tool, they will receive an error
Looks okay but.....
Jahudi, October 29, 2003 - 12:34 pm UTC
Tom,
Does this also count for a role password?
Thanks,
Jahudi
October 29, 2003 - 2:09 pm UTC
nope, that is just a dml statement -- you need ASO (advanced security) for encrypting the entire conversation
Mike, October 29, 2003 - 4:40 pm UTC
"
those parameters are for the Advanced Security Option (ASO)
they do it for the entire connection -- all data, not just the password.
not shipped with EE, ASO is a for fee option.
"
Please confirm: the loging passwd is always encrypted without explicitly setup the net8's ASO?
October 29, 2003 - 5:19 pm UTC
correct, the password you use to login with is encrypted regardless.
It is possible to encrypt data stream even without ASO
Piotr Jarmuz, October 31, 2003 - 4:11 am UTC
Just in case someone would like to know...
If your client machine is UNIX, Linux or Windoze with unix emulation layer e.g. Cygwin then it is trivial to set up SSL encryption even without ASO.
1. Make sure that your database server is running ssh daemon (in the world of Unix this is standard).
2. Start ssh client on the client machine in local forwarding mode. For your convenience you may want to set up public key authentication before so that you don't need the passwords.
$> ssh -NfL 1521:localhost:1521 your.db.server
3. Edit tnsnames.ora file on the client to contain the entry like this:
SECURED_SERVER =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
)
(CONNECT_DATA =
(SID = your_original_server_sid)
)
)
4. Use sqlplus to test the connection:
$> sqlplus username/password@secured_server
5. Enjoy secure data flow :)
If your client is a "naked" Windows machine (without reasonable set of unix-like tools) it might even work but I have never tested...
October 31, 2003 - 7:57 am UTC
very nice! thanks!
It does work even for windoze
Mario, October 31, 2003 - 12:07 pm UTC
Hi Tom and Piotr,
it does work even for windoze: you can
use SecureCRT for 'port forwarding' on
windoze client.
many thanks Piotr.
Mario from Rome, Europe
P.S. ... and yes from time to time I use windows ;-(
JDBC Thin Driver
Jon, May 14, 2004 - 1:57 pm UTC
Hi Tom,
<quote>
passwords are encrypted BY DEFAULT using net8 -- meaning, you need to do nothing, install no additional software, just use it out of the box and the passwords are transmitted encrypted.
</quote>
1) If we use JDBC with thin driver, will we have password encrypted when connecting to Oracle 8.1.7 or higher too?
I assume JDBC with OCI driver will have password encrypted because it uses net8.
2) Is the default logon connection process encrypts or hashes/challenges password? If only password encryption on an unsecure line, is it a security risk that people can snatch the encrypted password and submit it to Oracle?
3) In addition to the password encryption, do you recommends production servers should use secure channel, like SSL?
As always, thanks for all the helps.
Regards,
Jon
May 15, 2004 - 12:13 pm UTC
1) yes.
2) yes, we have total network encryption that defeats packet replay as well, it is called the advanced security option (ASO)
3) if the ability to sniff the network bothers you, is against your security policy, sure.
DBLINK_ENCRYPT_LOGIN deprecated in 9.2.0.1
A reader, August 09, 2004 - 10:42 am UTC
Hi Tom, could you please with you wisdom help me to understand what replaces the
DBLINK_ENCRYPT_LOGIN parameter please.
In Oracle 9.2.0.1 I receive the following warning
Deprecated system parameters with specified values:
fast_start_io_target
dblink_encrypt_login
Thanks in advance
August 09, 2004 - 11:33 am UTC
dblink_encrypt_login is not supported anymore, the passwords are always encrypted
A reader, August 09, 2004 - 11:35 am UTC
Thanks Tom
ORA_ENCRYPT_LOGIN
A reader, August 09, 2004 - 3:20 pm UTC
Tom one question more please
Do I still have to set ora_encrypt_login in the client machine regedit, to encript passwords using oracle 9i.
I don't know if you please some some specific information (from metalink) about the use of this parameter for client machine, and in speciall for Oracle forms.
:) If you can please
August 09, 2004 - 8:07 pm UTC
no, obsoleted by time as well.
always encrypted now.
ORA_ENCRYPT_LOGIN second retry encrypted?
A reader, August 10, 2004 - 11:40 am UTC
Hi Tom, sorry, only to be sure
If I use developer 6i patch 12 client and oracle 9i database
I don't have to set ORA_ENCRYPT_LOGIN?
The second retry is send encrypted too?
Thanks
August 10, 2004 - 3:40 pm UTC
there should not be a second "retry", you can confirm with support via metalink.
A reader, August 10, 2004 - 4:17 pm UTC
Thanks Tom
A reader, September 25, 2006 - 5:20 pm UTC
Where can I find the official statement from Oracle that
- passwords are encrypted
- this is true even if the connection is from JDBC
We need to show this to our customers.
A reader, September 25, 2006 - 5:38 pm UTC
Is it true that the process of changing a password may send the password in the clear?
September 26, 2006 - 2:27 am UTC
if you use a simple "alter" command - yes, that DDL would be sent in the clear.
Unless you used network encryption for all SQL that is, part of the advanced security option.
A reader, September 26, 2006 - 12:59 pm UTC
How do I setup ASO so that it will encrypt password sent through ALTER USER command? I understand that to encrypt a column in a table I would create a wallet and alter the column to use "SALT" or "NO SALT". How do I do this for passwords? Is it just an option to turn on in sqlnet.ora?
September 26, 2006 - 4:54 pm UTC
you just use network encryption for all traffic, this is well documented, have you read the advance security guide as yet?
Advanced SEcurity Option
A reader, June 16, 2009 - 6:19 pm UTC
Tom:
I have a 100 client machines using a powerbuilder application that uses the big user model (one db user).
Users key in an application userid/password that gets sent to Oracle authenticating function
which hashes the sent password and compares it against the hash value in USERS table and send a return code back to client on whether it is valid or not valid.
I want to encrypt this password and better solution is to encrypt the whole communication pipe between the client and server.
1. What do i need to set this up and is it difficult to do?
Do i need Advanced Security Option installed on the Server with new listener port and just change the TNS names.ora file on the all the clients?
2. Is the data going over the public Internet or over a ethernet local network (dedicated cable) with a client server setup.
Can you advise.
June 17, 2009 - 11:19 am UTC
1) you need to read all about ASO and it's setup, features and options SMK. I've pointed you to the documentation many times, you know where it is.
2) we've had this discussion too - the only answer is "it depends", depends on your network setup, your routing, how things are configured where you work. The public internet is not any different from your local networks connected together - in fact, that is what makes it all work.
In all probability, the information inside your corporate WAN doesn't leave your control - probably. But, you should sit down with your network administrators and have them draw out a map and describe how it works if you have a need to know.
ASO
A reader, June 17, 2009 - 1:14 pm UTC
Tom:
Thanks, I think this is first time we talk ASO. Anyway i will try to read this - a lot of stuff
http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm IT sounds the client can be easily modified to sqlnet.ora but the ASO software has to be isntalled on server.
My other option is just to send the password that user enters encrypted by the client. Right now the PB client uses Oracle hash function for that. Does this mean that the string is going in plain text over the network when the client has this
SELECT hash('tiger') into v_password from dual;
insert into user values (userid,v_password)
Is that select statement sending the string to the DB unencrypted?
Would you recommend creating an ENCRYPT function in PB client and storing that value into the DB instead? If i do not do that, then I have to somehow create a client ENCRYPT function and SERVER DECRYPT function that use same algortihm and result in the same hash or maybe I can apply Oracle HASH on the encrypted string the client sends.
Can you please advise.
June 17, 2009 - 3:25 pm UTC
Ahh, but SMK, it is not the first time we've talked "configure", "install", "what does it do" - and the answer has been many times "we actually document that stuff"
if you are not using ASO, then all data over the network is transmitted in clear text EXCEPT for the password you use to log in. In your case, the text in the sql statement, the bind variable values - all in clear text.
if you start doing your own encryption, then you have to figure out how to do key management - and I'm not even going to start going down that path with you - it is incredibly *hard*. To encrypt, you need a key, where will you store this key - and when this key is compromised - how will you rekey the data and let the application know?
No, I think doing your own encryption in the client would be the worst path to approach.
ASO
A reader, June 17, 2009 - 7:39 pm UTC
Tom:
I use your hash function on the server (dbms_utility). Is the key hardcoded there. How does oracle client send the password encrypted. is it storing the key somewhere on the client.
To keep things simple, let us say the key is defined within the ENCRYPT program. Can the client encrypt a string and then oracle hash that encrypted string.
That way you hide the password during transmission and use oracle hash at the server side. What are your issues with this?
June 18, 2009 - 11:09 am UTC
if you use it on the server, didn't you just send me the password to hash IN CLEAR TEXT - which is what you are trying to avoid.
how does Oracle send the password encrypted? By implementing thousands of lines of somewhat complex handshake code that allows the client and server to agree on a key.
To keep things simple, if the KEY is in the DATABASE and the data you need to encrypt/decrypt is in the client - you need to either
a) send key to client
b) send data to database
in either case - it is not encrypted, it is in the clear. Please explain how you have solved *anything* SMK/Sam
Draw the flow of data on a whiteboard, think about it.