Solved

Oracle DB - encrypt password via ODBC?

Posted on 2003-12-09
14
1,802 Views
Last Modified: 2013-12-25
From a VB application, using ODBC to connect to an Oracle DB, is it possible to encrypt the password using ADO, RDS?  How does a direct connection work?

Thanks

Tim
0
Comment
Question by:joex
  • 7
  • 7
14 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907235
Normally your connectionstring is compiled with the rest of the code into an exe, so it does not need to be encrypted.  Where, or to what, do you wish to apply your encryption.

Leon
0
 

Author Comment

by:joex
ID: 9907349
Please confirm/correct the following:

   When the ADO DB connect request is sent to Oracle, the password is not encrypted.

Thanks,

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907387
Tim,

Are you concerned about someone intercepting the connection string during the connection request from the application to the database?  Is this a web based application?

Leon
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:joex
ID: 9907419
Leon,

   Yes, the concern is that someone might intercept the connection string.

    It is not a web-based application.  A VB application accesses an Oracle DB across a network.

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907497
Tim,

You will need to handle such security issues on your network and in the database.  The OLEDB & ODBC drivers send the connection strings to the database in a certain format.  You can not change it and have it re-translated back by the database.  

If someone is capturing your connection string between the application and the database, you got serious problems.

Leon
0
 

Author Comment

by:joex
ID: 9907543
Leon,

     Do the OLEDB and ODBC Drivers encrypt the password ?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907600
No, it is the same for the entire connection string.  In a way it is encrypted since you are dealing with packets and protocols on that level.

Leon
0
 

Author Comment

by:joex
ID: 9907763
Leon,

    Before accepting your answers do you know:

       Whether RDS provides any encryption capability?

       Does direct connect provide any encryption capability?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907906
Tim,

Just to make sure you understand, what actually communicates with the database is the driver you are using not the application.  The applicaiton is communicating with the driver.

Application --> Driver --> Database

The return trip is the same:

Database --> Driver --> Application

There is really nothing to encrypt here since you are not dealing with any texts.

Leon
0
 

Author Comment

by:joex
ID: 9908157
Leon,

    Text that is hard-coded in a VB application can be read in the resulting executable.  Therefore it is not clear why you ask the following question.

       There is really nothing to encrypt here since you are not dealing with any texts.

Tim

0
 
LVL 29

Accepted Solution

by:
leonstryker earned 100 total points
ID: 9908207
Tim,

Yes, the executable can be cracked and the password exrtacted.  Then I made the statement above, I was refering to the stream sent from the application/driver to the database.

I am not aware of any tool which can be used to encrypt source code in an executable.

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9908493
What you should consider doing, is keeping the connection string outside the executable in a separate file.  What file can be encrypted.  Your application would access this file retrieve the connection string and decrypt it.

Leon
0
 

Author Comment

by:joex
ID: 9911727
Leon,

    This thread has been completely unhelpful.   The answer was accepted just to end it.  

    FYI - the question is whether the password in the byte stream sent to Oracle is encrypted.   Note that if a text password is detectable in an executable then it is also detectable in a byte stream (sent by ODBC).

    If anyone is interested in answering this question, please do so, and the points will be given to you.

Tim



0
 

Author Comment

by:joex
ID: 10065008
The following is a valid answer to this question:

According to the Oracle on-line documentation (at
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c23acces.htm#CNCPT323)

under the User Authentication heading:

      "To prevent unauthorized use of a database username, Oracle provides
user validation through several different methods
      for normal database users. You can perform authentication by:

            The operating system
            A network service
            The associated Oracle database
            The Oracle database of a middle-tier application that performs
transactions on behalf of the user
            The Secure Socket Layer (SSL) protocol

      For simplicity, one method is usually used to authenticate all users
of a database. However, Oracle allows use of all methods
      within the same database instance.

      Oracle also encrypts passwords during transmission to ensure the
security of network authentication.

      Oracle requires special authentication procedures for database
administrators, because they perform special database operations."
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: Martin
Here are a few simple, working, games that you can use as-is or as the basis for your own games. Tic-Tac-Toe This is one of the simplest of all games.   The game allows for a choice of who goes first and keeps track of the number of wins for…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question