What encryption algorithm is used to store passwords in the database
Hi ,
What encryption algorithm is used to store passwords in the database? Also, in the application server, what algorithm is used to store passwords in OID? Is it DES, Triple DES, SHA-1, etc?
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.
The one-way algorithm used to calculate password hashes is not openly documented by
Oracle, but references on-line and in printed materials provide sufficient information to
reproduce the algorithm.
A 1993 post on the comp.databases.oracle newsgroup describes the algorithm in detail,
identifying an unknown fixed key as an input parameter [1]. This key value was later
published in the book "Special Ops", providing sufficient information to reproduce the
algorithm [2]. The algorithm can be described as follows:
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII characters have the
high byte set to 0x00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length)
using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of
0x0123456789ABCDEF;
5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output
of the previous step (ignoring parity bits) as the encryption key. The last block of the
output is converted into a printable string to produce the password hash value.
Reply With Quote
Bookmarks