Solved

Oracle DB - encrypt password via ODBC?

Posted on 2003-12-09
14
1,751 Views
Last Modified: 2013-12-25
From a VB application, using ODBC to connect to an Oracle DB, is it possible to encrypt the password using ADO, RDS?  How does a direct connection work?

Thanks

Tim
0
Comment
Question by:joex
  • 7
  • 7
14 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907235
Normally your connectionstring is compiled with the rest of the code into an exe, so it does not need to be encrypted.  Where, or to what, do you wish to apply your encryption.

Leon
0
 

Author Comment

by:joex
ID: 9907349
Please confirm/correct the following:

   When the ADO DB connect request is sent to Oracle, the password is not encrypted.

Thanks,

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907387
Tim,

Are you concerned about someone intercepting the connection string during the connection request from the application to the database?  Is this a web based application?

Leon
0
 

Author Comment

by:joex
ID: 9907419
Leon,

   Yes, the concern is that someone might intercept the connection string.

    It is not a web-based application.  A VB application accesses an Oracle DB across a network.

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907497
Tim,

You will need to handle such security issues on your network and in the database.  The OLEDB & ODBC drivers send the connection strings to the database in a certain format.  You can not change it and have it re-translated back by the database.  

If someone is capturing your connection string between the application and the database, you got serious problems.

Leon
0
 

Author Comment

by:joex
ID: 9907543
Leon,

     Do the OLEDB and ODBC Drivers encrypt the password ?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907600
No, it is the same for the entire connection string.  In a way it is encrypted since you are dealing with packets and protocols on that level.

Leon
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:joex
ID: 9907763
Leon,

    Before accepting your answers do you know:

       Whether RDS provides any encryption capability?

       Does direct connect provide any encryption capability?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907906
Tim,

Just to make sure you understand, what actually communicates with the database is the driver you are using not the application.  The applicaiton is communicating with the driver.

Application --> Driver --> Database

The return trip is the same:

Database --> Driver --> Application

There is really nothing to encrypt here since you are not dealing with any texts.

Leon
0
 

Author Comment

by:joex
ID: 9908157
Leon,

    Text that is hard-coded in a VB application can be read in the resulting executable.  Therefore it is not clear why you ask the following question.

       There is really nothing to encrypt here since you are not dealing with any texts.

Tim

0
 
LVL 29

Accepted Solution

by:
leonstryker earned 100 total points
ID: 9908207
Tim,

Yes, the executable can be cracked and the password exrtacted.  Then I made the statement above, I was refering to the stream sent from the application/driver to the database.

I am not aware of any tool which can be used to encrypt source code in an executable.

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9908493
What you should consider doing, is keeping the connection string outside the executable in a separate file.  What file can be encrypted.  Your application would access this file retrieve the connection string and decrypt it.

Leon
0
 

Author Comment

by:joex
ID: 9911727
Leon,

    This thread has been completely unhelpful.   The answer was accepted just to end it.  

    FYI - the question is whether the password in the byte stream sent to Oracle is encrypted.   Note that if a text password is detectable in an executable then it is also detectable in a byte stream (sent by ODBC).

    If anyone is interested in answering this question, please do so, and the points will be given to you.

Tim



0
 

Author Comment

by:joex
ID: 10065008
The following is a valid answer to this question:

According to the Oracle on-line documentation (at
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c23acces.htm#CNCPT323)

under the User Authentication heading:

      "To prevent unauthorized use of a database username, Oracle provides
user validation through several different methods
      for normal database users. You can perform authentication by:

            The operating system
            A network service
            The associated Oracle database
            The Oracle database of a middle-tier application that performs
transactions on behalf of the user
            The Secure Socket Layer (SSL) protocol

      For simplicity, one method is usually used to authenticate all users
of a database. However, Oracle allows use of all methods
      within the same database instance.

      Oracle also encrypts passwords during transmission to ensure the
security of network authentication.

      Oracle requires special authentication procedures for database
administrators, because they perform special database operations."
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Background What I'm presenting in this article is the result of 2 conditions in my work area: We have a SQL Server production environment but no development or test environment; andWe have an MS Access front end using tables in SQL Server but we a…
You can of course define an array to hold data that is of a particular type like an array of Strings to hold customer names or an array of Doubles to hold customer sales, but what do you do if you want to coordinate that data? This article describes…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now