I have a few questions regarding how Oracle by default encrypts the password when sent to the Oracle databases. ( https://asktom.oracle.com/pls/apex/asktom.search?tag=password-security-during-logins&p_session=117601880297172
First, please confirm that Oracle by default also encrypts the password when the client uses a JDBC thin client to connect to the databases.
Second, what kind of encryption algorithm (AES128, DES, etc.) does it use?
Third, why doesn't the default encryption of passwords require the complexity of setting up SSL encryption for data in motion? The complexity I am referring to is the need to create various server and client certificates ( CA certificate, self signed, pass it to through SHA-2 algorithm), create wallets and setup several sqlnet.ora parameters on both client and server?
Forth, do you think it is a good idea for Oracle Oracle to provide a simple on/off option to turn on the same default password encryption but for all data in motion?
Lastly, if Oracle encrypts the password automatically, why does Oracle provide this document: "Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)?" "This article describes how to configure and use the Secure Sockets Layer (SSL) for Oracle Database User Authentication." If Oracle encrypts the password by default, then Oracle providing the document seems unnecessary.
Thanks for your valuable insights.
Encryption depends on version. If memory serves (so don't take these as gospel)
For thick clients, I *think* it is
- pre v7, possibly no encryption, ah...the good ol' days where we trusted everyone :-))
- v7-v10, DES
- v11, SHA1
- v12 onwards SHA2
For thin clients, I *think* it is AES.
In any event, a lot of things have evolved over time, so its not just a case of sending a password over the line. Nowadays, there is a length set of exchanges between client and the server, passing around hashes and keys etc.
So if we're doing all of that ... two questions come up:
1) why would we need SSL authentication ?
Notice in the document you reference, we are not explicitly including the password in our connection strings. Our apps etc no longer need to provide it because its stored in a wallet. Also, everything about the connection request (username etc) will be over SSL. That's a benefit.
2) why would we need SSL elsewhere ?
Because that is JUST for authentication. What about
- set role identified by mypassword
- create user identified by mypassword
- select CREDIT_CARD from PERSON