-
What encryption algorithm is used to store passwords in the database
Hi ,
What encryption algorithm is used to store passwords in the database? Also, in the application server, what algorithm is used to store passwords in OID? Is it DES, Triple DES, SHA-1, etc?
Thanks,
Leonard
leonard905
leonard905@yahoo.com
-
...and there is when the concept of proprietary algorithm makes itself evident
Nevertheless you are gonna love to take a look at http://www.red-database-security.com...passwords.html
Last edited by PAVB; 08-31-2007 at 08:43 AM.
Pablo (Paul) Berzukov
Author of Understanding Database Administration available at amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.
-
they arent encrypted, they are hashed - big difference
-
Ok. What hashing algorithm is used in 10g database to store passwords in DBA_USERs data dictionary?
leonard905
leonard905@yahoo.com
-
The one-way algorithm used to calculate password hashes is not openly documented by
Oracle, but references on-line and in printed materials provide sufficient information to
reproduce the algorithm.
A 1993 post on the comp.databases.oracle newsgroup describes the algorithm in detail,
identifying an unknown fixed key as an input parameter [1]. This key value was later
published in the book "Special Ops", providing sufficient information to reproduce the
algorithm [2]. The algorithm can be described as follows:
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII characters have the
high byte set to 0x00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length)
using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of
0x0123456789ABCDEF;
5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output
of the previous step (ignoring parity bits) as the encryption key. The last block of the
output is converted into a printable string to produce the password hash value.
-
Ok. It seemed then the algorithm is DES.
leonard905
leonard905@yahoo.com
-
I wonder why something straightforward like MD5 or a SHA version wasn't used?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|