Hi ,
What encryption algorithm is used to store passwords in the database? Also, in the application server, what algorithm is used to store passwords in OID? Is it DES, Triple DES, SHA-1, etc?
Thanks,
Leonard
Hi ,
What encryption algorithm is used to store passwords in the database? Also, in the application server, what algorithm is used to store passwords in OID? Is it DES, Triple DES, SHA-1, etc?
Thanks,
Leonard
...and there is when the concept of proprietary algorithm makes itself evident :)
Nevertheless you are gonna love to take a look at http://www.red-database-security.com...passwords.html
they arent encrypted, they are hashed - big difference
Ok. What hashing algorithm is used in 10g database to store passwords in DBA_USERs data dictionary?
The one-way algorithm used to calculate password hashes is not openly documented by
Oracle, but references on-line and in printed materials provide sufficient information to
reproduce the algorithm.
A 1993 post on the comp.databases.oracle newsgroup describes the algorithm in detail,
identifying an unknown fixed key as an input parameter [1]. This key value was later
published in the book "Special Ops", providing sufficient information to reproduce the
algorithm [2]. The algorithm can be described as follows:
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII characters have the
high byte set to 0x00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length)
using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of
0x0123456789ABCDEF;
5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output
of the previous step (ignoring parity bits) as the encryption key. The last block of the
output is converted into a printable string to produce the password hash value.
Ok. It seemed then the algorithm is DES.
I wonder why something straightforward like MD5 or a SHA version wasn't used?