DBAsupport.com Forums - Powered by vBulletin
Results 1 to 7 of 7

Thread: What encryption algorithm is used to store passwords in the database

  1. #1
    Join Date
    Jun 2000
    Location
    dumfries,va,usa
    Posts
    227

    What encryption algorithm is used to store passwords in the database

    Hi ,

    What encryption algorithm is used to store passwords in the database? Also, in the application server, what algorithm is used to store passwords in OID? Is it DES, Triple DES, SHA-1, etc?

    Thanks,
    Leonard
    leonard905
    leonard905@yahoo.com

  2. #2
    Join Date
    Mar 2007
    Location
    Ft. Lauderdale, FL
    Posts
    3,555
    ...and there is when the concept of proprietary algorithm makes itself evident

    Nevertheless you are gonna love to take a look at http://www.red-database-security.com...passwords.html
    Last edited by PAVB; 08-31-2007 at 08:43 AM.
    Pablo (Paul) Berzukov

    Author of Understanding Database Administration available at amazon and other bookstores.

    Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.

  3. #3
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    they arent encrypted, they are hashed - big difference

  4. #4
    Join Date
    Jun 2000
    Location
    dumfries,va,usa
    Posts
    227
    Ok. What hashing algorithm is used in 10g database to store passwords in DBA_USERs data dictionary?
    leonard905
    leonard905@yahoo.com

  5. #5
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    The one-way algorithm used to calculate password hashes is not openly documented by
    Oracle, but references on-line and in printed materials provide sufficient information to
    reproduce the algorithm.
    A 1993 post on the comp.databases.oracle newsgroup describes the algorithm in detail,
    identifying an unknown fixed key as an input parameter [1]. This key value was later
    published in the book "Special Ops", providing sufficient information to reproduce the
    algorithm [2]. The algorithm can be described as follows:
    1. Concatenate the username and the password to produce a plaintext string;
    2. Convert the plaintext string to uppercase characters;
    3. Convert the plaintext string to multi-byte storage format; ASCII characters have the
    high byte set to 0x00;
    4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length)
    using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of
    0x0123456789ABCDEF;
    5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output
    of the previous step (ignoring parity bits) as the encryption key. The last block of the
    output is converted into a printable string to produce the password hash value.

  6. #6
    Join Date
    Jun 2000
    Location
    dumfries,va,usa
    Posts
    227
    Ok. It seemed then the algorithm is DES.
    leonard905
    leonard905@yahoo.com

  7. #7
    I wonder why something straightforward like MD5 or a SHA version wasn't used?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width