Skip to Main Content

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Azman.

Asked: October 31, 2000 - 6:23 am UTC

Last updated: June 18, 2009 - 11:09 am UTC

Version: 8.0.6

Viewed 10K+ times! This question is

You Asked

I understand that setting
ORA_ENCRYPT_LOGIN = True in client machine will ensure that password will be sent in an encrypted form from client to server. Does ths works if we are using odbc to communicate between client and server?

and Tom said...


You do not need to set that anymore - it was valid in 7.1. Today, passwords are encrypted by default.

Yes, it'll encrypt the password in ODBC since ODBC uses Net8 and Net8 is the layer that does the encryption. Note however that if you set ODBC tracing on -- it will tend to record the password in cleartext as the password is not encrypted until they give it to us.

Rating

  (21 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Tarek, October 06, 2003 - 11:39 am UTC

As far as i know the password is not encrypted when a user try to connect to the database using net8 layer, right?
I know that to encrypt network connection the Advanced Security "option" of enterprise edition should be used.
Am i wrong?
Is it enough to put ORA_ENCRYPT_LOGIN = True in the client machine?
So what do you mean with
"Today, passwords are encrypted by default"
When are they encrypted by default?

Thanks
Tarek

Tom Kyte
October 06, 2003 - 1:33 pm UTC

yes it is.

passwords are encrypted BY DEFAULT using net8 -- meaning, you need to do nothing, install no additional software, just use it out of the box and the passwords are transmitted encrypted.



encryption

Spock, October 06, 2003 - 1:45 pm UTC

Tarek, you can encrypt your client/server connection using:

SQLNET.ENCRYPTION_CLIENT=...
SQLNET.ENCRYPTION_SERVER=...

</code> http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96581/sqlnet.htm#436668 <code>

May the force be with you

A reader, October 06, 2003 - 1:55 pm UTC

Tom, will the above really encrypt the connection between client and sever ? Is it part of 9ir2 EE ?

BTW:

Gee, Dr. Spock... It's not Tarek, it's Sarek.

And "The force be with you" is from Star Wars, not Star Trek. The right greeting is "Live long and prosper!"

Tom Kyte
October 06, 2003 - 2:09 pm UTC

Dr. Spock wrote books on rearing human children. My mom used to read his stuff.

Mr. Spock -- he might have known Sarek :)



you need to do NOTHING, nada, nunca, to get the passwords encrypted. It just happens, has happened for many many many years.

You need to do NOTHING


A reader, October 06, 2003 - 2:22 pm UTC

Ok, Capitain Tom ;)))))))

The parameters described by MISTER Spock are valid for the entire connection, right ?

Are they shipped with 9ir2 EE, after all -- or are they an "option" (bought separately), as they used to be part of the Advanced Networking Option ?

Tom Kyte
October 06, 2003 - 2:39 pm UTC

those parameters are for the Advanced Security Option (ASO)

they do it for the entire connection -- all data, not just the password.

not shipped with EE, ASO is a for fee option.

Was there ever a cleartext retry option?

Justin, October 07, 2003 - 5:53 pm UTC

Since Oracle 8 clients can communicate with an Oracle 7 database, is or was there a fallback path in the Net8 code where it would try with an unencrypted password, or did all versions of Oracle 7 accept the default Oracle 8 encrypted passwords?

Tom Kyte
October 07, 2003 - 6:24 pm UTC

well, only 7.3 was supported and it supported encrypted passwords (its been a long long time..)

This was implemented in Oracle7 Release 7.1. If you use an old tool (i.e. a tool created with a prior version of the RDBMS libraries) the login routines will fall back to the old "send the password in clear text" mode. To prevent users from accidentally revealing their passwords in this way, the dba can set the ora_encrypt_login and dblink_encrypt_login variables to true. If this is done and the user attempts to login with an old tool, they will receive an error

Looks okay but.....

Jahudi, October 29, 2003 - 12:34 pm UTC

Tom,

Does this also count for a role password?

Thanks,

Jahudi

Tom Kyte
October 29, 2003 - 2:09 pm UTC

nope, that is just a dml statement -- you need ASO (advanced security) for encrypting the entire conversation

Mike, October 29, 2003 - 4:40 pm UTC

"
those parameters are for the Advanced Security Option (ASO)

they do it for the entire connection -- all data, not just the password.

not shipped with EE, ASO is a for fee option.
"

Please confirm: the loging passwd is always encrypted without explicitly setup the net8's ASO?

Tom Kyte
October 29, 2003 - 5:19 pm UTC

correct, the password you use to login with is encrypted regardless.

It is possible to encrypt data stream even without ASO

Piotr Jarmuz, October 31, 2003 - 4:11 am UTC

Just in case someone would like to know...

If your client machine is UNIX, Linux or Windoze with unix emulation layer e.g. Cygwin then it is trivial to set up SSL encryption even without ASO.

1. Make sure that your database server is running ssh daemon (in the world of Unix this is standard).

2. Start ssh client on the client machine in local forwarding mode. For your convenience you may want to set up public key authentication before so that you don't need the passwords.

$> ssh -NfL 1521:localhost:1521 your.db.server

3. Edit tnsnames.ora file on the client to contain the entry like this:

SECURED_SERVER =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
)
(CONNECT_DATA =
(SID = your_original_server_sid)
)
)

4. Use sqlplus to test the connection:

$> sqlplus username/password@secured_server

5. Enjoy secure data flow :)

If your client is a "naked" Windows machine (without reasonable set of unix-like tools) it might even work but I have never tested...


Tom Kyte
October 31, 2003 - 7:57 am UTC

very nice! thanks!

It does work even for windoze

Mario, October 31, 2003 - 12:07 pm UTC

Hi Tom and Piotr,

it does work even for windoze: you can
use SecureCRT for 'port forwarding' on
windoze client.

many thanks Piotr.

Mario from Rome, Europe

P.S. ... and yes from time to time I use windows ;-(

JDBC Thin Driver

Jon, May 14, 2004 - 1:57 pm UTC

Hi Tom,

<quote>
passwords are encrypted BY DEFAULT using net8 -- meaning, you need to do nothing, install no additional software, just use it out of the box and the passwords are transmitted encrypted.
</quote>

1) If we use JDBC with thin driver, will we have password encrypted when connecting to Oracle 8.1.7 or higher too?

I assume JDBC with OCI driver will have password encrypted because it uses net8.

2) Is the default logon connection process encrypts or hashes/challenges password? If only password encryption on an unsecure line, is it a security risk that people can snatch the encrypted password and submit it to Oracle?

3) In addition to the password encryption, do you recommends production servers should use secure channel, like SSL?

As always, thanks for all the helps.

Regards,
Jon




Tom Kyte
May 15, 2004 - 12:13 pm UTC

1) yes.

2) yes, we have total network encryption that defeats packet replay as well, it is called the advanced security option (ASO)

3) if the ability to sniff the network bothers you, is against your security policy, sure.

DBLINK_ENCRYPT_LOGIN deprecated in 9.2.0.1

A reader, August 09, 2004 - 10:42 am UTC

Hi Tom, could you please with you wisdom help me to understand what replaces the
DBLINK_ENCRYPT_LOGIN parameter please.

In Oracle 9.2.0.1 I receive the following warning

Deprecated system parameters with specified values:
fast_start_io_target
dblink_encrypt_login

Thanks in advance

Tom Kyte
August 09, 2004 - 11:33 am UTC



dblink_encrypt_login is not supported anymore, the passwords are always encrypted

A reader, August 09, 2004 - 11:35 am UTC

Thanks Tom

ORA_ENCRYPT_LOGIN

A reader, August 09, 2004 - 3:20 pm UTC

Tom one question more please
Do I still have to set ora_encrypt_login in the client machine regedit, to encript passwords using oracle 9i.

I don't know if you please some some specific information (from metalink) about the use of this parameter for client machine, and in speciall for Oracle forms.

:) If you can please


Tom Kyte
August 09, 2004 - 8:07 pm UTC

no, obsoleted by time as well.

always encrypted now.

ORA_ENCRYPT_LOGIN second retry encrypted?

A reader, August 10, 2004 - 11:40 am UTC

Hi Tom, sorry, only to be sure
If I use developer 6i patch 12 client and oracle 9i database
I don't have to set ORA_ENCRYPT_LOGIN?
The second retry is send encrypted too?

Thanks

Tom Kyte
August 10, 2004 - 3:40 pm UTC

there should not be a second "retry", you can confirm with support via metalink.

A reader, August 10, 2004 - 4:17 pm UTC

Thanks Tom

A reader, September 25, 2006 - 5:20 pm UTC

Where can I find the official statement from Oracle that

- passwords are encrypted
- this is true even if the connection is from JDBC

We need to show this to our customers.

Tom Kyte
September 26, 2006 - 2:25 am UTC

</code> http://docs.oracle.com/docs/cd/B19306_01/server.102/b14220/security.htm#sthref2716 <code>

I believe the use of the word ALWAYS in there covers JDBC. We would not list every API in a case like this (so don't really dig for "and yes, always includes jdbc" - you likely won't find it)

A reader, September 25, 2006 - 5:38 pm UTC

Is it true that the process of changing a password may send the password in the clear?

Tom Kyte
September 26, 2006 - 2:27 am UTC

if you use a simple "alter" command - yes, that DDL would be sent in the clear.

Unless you used network encryption for all SQL that is, part of the advanced security option.

A reader, September 26, 2006 - 12:59 pm UTC

How do I setup ASO so that it will encrypt password sent through ALTER USER command? I understand that to encrypt a column in a table I would create a wallet and alter the column to use "SALT" or "NO SALT". How do I do this for passwords? Is it just an option to turn on in sqlnet.ora?

Tom Kyte
September 26, 2006 - 4:54 pm UTC

you just use network encryption for all traffic, this is well documented, have you read the advance security guide as yet?

Advanced SEcurity Option

A reader, June 16, 2009 - 6:19 pm UTC

Tom:

I have a 100 client machines using a powerbuilder application that uses the big user model (one db user).
Users key in an application userid/password that gets sent to Oracle authenticating function
which hashes the sent password and compares it against the hash value in USERS table and send a return code back to client on whether it is valid or not valid.

I want to encrypt this password and better solution is to encrypt the whole communication pipe between the client and server.

1. What do i need to set this up and is it difficult to do?

Do i need Advanced Security Option installed on the Server with new listener port and just change the TNS names.ora file on the all the clients?

2. Is the data going over the public Internet or over a ethernet local network (dedicated cable) with a client server setup.

Can you advise.

Tom Kyte
June 17, 2009 - 11:19 am UTC

1) you need to read all about ASO and it's setup, features and options SMK. I've pointed you to the documentation many times, you know where it is.

2) we've had this discussion too - the only answer is "it depends", depends on your network setup, your routing, how things are configured where you work. The public internet is not any different from your local networks connected together - in fact, that is what makes it all work.

In all probability, the information inside your corporate WAN doesn't leave your control - probably. But, you should sit down with your network administrators and have them draw out a map and describe how it works if you have a need to know.

ASO

A reader, June 17, 2009 - 1:14 pm UTC

Tom:

Thanks, I think this is first time we talk ASO. Anyway i will try to read this - a lot of stuff

http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm

IT sounds the client can be easily modified to sqlnet.ora but the ASO software has to be isntalled on server.

My other option is just to send the password that user enters encrypted by the client. Right now the PB client uses Oracle hash function for that. Does this mean that the string is going in plain text over the network when the client has this

SELECT hash('tiger') into v_password from dual;
insert into user values (userid,v_password)

Is that select statement sending the string to the DB unencrypted?

Would you recommend creating an ENCRYPT function in PB client and storing that value into the DB instead? If i do not do that, then I have to somehow create a client ENCRYPT function and SERVER DECRYPT function that use same algortihm and result in the same hash or maybe I can apply Oracle HASH on the encrypted string the client sends.

Can you please advise.

Tom Kyte
June 17, 2009 - 3:25 pm UTC

Ahh, but SMK, it is not the first time we've talked "configure", "install", "what does it do" - and the answer has been many times "we actually document that stuff"


if you are not using ASO, then all data over the network is transmitted in clear text EXCEPT for the password you use to log in. In your case, the text in the sql statement, the bind variable values - all in clear text.

if you start doing your own encryption, then you have to figure out how to do key management - and I'm not even going to start going down that path with you - it is incredibly *hard*. To encrypt, you need a key, where will you store this key - and when this key is compromised - how will you rekey the data and let the application know?

No, I think doing your own encryption in the client would be the worst path to approach.

ASO

A reader, June 17, 2009 - 7:39 pm UTC

Tom:

I use your hash function on the server (dbms_utility). Is the key hardcoded there. How does oracle client send the password encrypted. is it storing the key somewhere on the client.

To keep things simple, let us say the key is defined within the ENCRYPT program. Can the client encrypt a string and then oracle hash that encrypted string.

That way you hide the password during transmission and use oracle hash at the server side. What are your issues with this?


Tom Kyte
June 18, 2009 - 11:09 am UTC

if you use it on the server, didn't you just send me the password to hash IN CLEAR TEXT - which is what you are trying to avoid.

how does Oracle send the password encrypted? By implementing thousands of lines of somewhat complex handshake code that allows the client and server to agree on a key.


To keep things simple, if the KEY is in the DATABASE and the data you need to encrypt/decrypt is in the client - you need to either

a) send key to client
b) send data to database

in either case - it is not encrypted, it is in the clear. Please explain how you have solved *anything* SMK/Sam



Draw the flow of data on a whiteboard, think about it.