?
Solved

Oracle DB - encrypt password via ODBC?

Posted on 2003-12-09
14
Medium Priority
?
1,850 Views
Last Modified: 2013-12-25
From a VB application, using ODBC to connect to an Oracle DB, is it possible to encrypt the password using ADO, RDS?  How does a direct connection work?

Thanks

Tim
0
Comment
Question by:joex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907235
Normally your connectionstring is compiled with the rest of the code into an exe, so it does not need to be encrypted.  Where, or to what, do you wish to apply your encryption.

Leon
0
 

Author Comment

by:joex
ID: 9907349
Please confirm/correct the following:

   When the ADO DB connect request is sent to Oracle, the password is not encrypted.

Thanks,

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907387
Tim,

Are you concerned about someone intercepting the connection string during the connection request from the application to the database?  Is this a web based application?

Leon
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:joex
ID: 9907419
Leon,

   Yes, the concern is that someone might intercept the connection string.

    It is not a web-based application.  A VB application accesses an Oracle DB across a network.

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907497
Tim,

You will need to handle such security issues on your network and in the database.  The OLEDB & ODBC drivers send the connection strings to the database in a certain format.  You can not change it and have it re-translated back by the database.  

If someone is capturing your connection string between the application and the database, you got serious problems.

Leon
0
 

Author Comment

by:joex
ID: 9907543
Leon,

     Do the OLEDB and ODBC Drivers encrypt the password ?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907600
No, it is the same for the entire connection string.  In a way it is encrypted since you are dealing with packets and protocols on that level.

Leon
0
 

Author Comment

by:joex
ID: 9907763
Leon,

    Before accepting your answers do you know:

       Whether RDS provides any encryption capability?

       Does direct connect provide any encryption capability?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907906
Tim,

Just to make sure you understand, what actually communicates with the database is the driver you are using not the application.  The applicaiton is communicating with the driver.

Application --> Driver --> Database

The return trip is the same:

Database --> Driver --> Application

There is really nothing to encrypt here since you are not dealing with any texts.

Leon
0
 

Author Comment

by:joex
ID: 9908157
Leon,

    Text that is hard-coded in a VB application can be read in the resulting executable.  Therefore it is not clear why you ask the following question.

       There is really nothing to encrypt here since you are not dealing with any texts.

Tim

0
 
LVL 29

Accepted Solution

by:
leonstryker earned 300 total points
ID: 9908207
Tim,

Yes, the executable can be cracked and the password exrtacted.  Then I made the statement above, I was refering to the stream sent from the application/driver to the database.

I am not aware of any tool which can be used to encrypt source code in an executable.

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9908493
What you should consider doing, is keeping the connection string outside the executable in a separate file.  What file can be encrypted.  Your application would access this file retrieve the connection string and decrypt it.

Leon
0
 

Author Comment

by:joex
ID: 9911727
Leon,

    This thread has been completely unhelpful.   The answer was accepted just to end it.  

    FYI - the question is whether the password in the byte stream sent to Oracle is encrypted.   Note that if a text password is detectable in an executable then it is also detectable in a byte stream (sent by ODBC).

    If anyone is interested in answering this question, please do so, and the points will be given to you.

Tim



0
 

Author Comment

by:joex
ID: 10065008
The following is a valid answer to this question:

According to the Oracle on-line documentation (at
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c23acces.htm#CNCPT323)

under the User Authentication heading:

      "To prevent unauthorized use of a database username, Oracle provides
user validation through several different methods
      for normal database users. You can perform authentication by:

            The operating system
            A network service
            The associated Oracle database
            The Oracle database of a middle-tier application that performs
transactions on behalf of the user
            The Secure Socket Layer (SSL) protocol

      For simplicity, one method is usually used to authenticate all users
of a database. However, Oracle allows use of all methods
      within the same database instance.

      Oracle also encrypts passwords during transmission to ensure the
security of network authentication.

      Oracle requires special authentication procedures for database
administrators, because they perform special database operations."
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’ve seen a number of people looking for examples of how to access web services from VB6.  I’ve been using a test harness I built in VB6 (using many resources I found online) that I use for small projects to work out how to communicate with web serv…
Background What I'm presenting in this article is the result of 2 conditions in my work area: We have a SQL Server production environment but no development or test environment; andWe have an MS Access front end using tables in SQL Server but we a…
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question