Solved

Oracle DB - encrypt password via ODBC?

Posted on 2003-12-09
14
1,766 Views
Last Modified: 2013-12-25
From a VB application, using ODBC to connect to an Oracle DB, is it possible to encrypt the password using ADO, RDS?  How does a direct connection work?

Thanks

Tim
0
Comment
Question by:joex
  • 7
  • 7
14 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907235
Normally your connectionstring is compiled with the rest of the code into an exe, so it does not need to be encrypted.  Where, or to what, do you wish to apply your encryption.

Leon
0
 

Author Comment

by:joex
ID: 9907349
Please confirm/correct the following:

   When the ADO DB connect request is sent to Oracle, the password is not encrypted.

Thanks,

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907387
Tim,

Are you concerned about someone intercepting the connection string during the connection request from the application to the database?  Is this a web based application?

Leon
0
 

Author Comment

by:joex
ID: 9907419
Leon,

   Yes, the concern is that someone might intercept the connection string.

    It is not a web-based application.  A VB application accesses an Oracle DB across a network.

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907497
Tim,

You will need to handle such security issues on your network and in the database.  The OLEDB & ODBC drivers send the connection strings to the database in a certain format.  You can not change it and have it re-translated back by the database.  

If someone is capturing your connection string between the application and the database, you got serious problems.

Leon
0
 

Author Comment

by:joex
ID: 9907543
Leon,

     Do the OLEDB and ODBC Drivers encrypt the password ?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907600
No, it is the same for the entire connection string.  In a way it is encrypted since you are dealing with packets and protocols on that level.

Leon
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:joex
ID: 9907763
Leon,

    Before accepting your answers do you know:

       Whether RDS provides any encryption capability?

       Does direct connect provide any encryption capability?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907906
Tim,

Just to make sure you understand, what actually communicates with the database is the driver you are using not the application.  The applicaiton is communicating with the driver.

Application --> Driver --> Database

The return trip is the same:

Database --> Driver --> Application

There is really nothing to encrypt here since you are not dealing with any texts.

Leon
0
 

Author Comment

by:joex
ID: 9908157
Leon,

    Text that is hard-coded in a VB application can be read in the resulting executable.  Therefore it is not clear why you ask the following question.

       There is really nothing to encrypt here since you are not dealing with any texts.

Tim

0
 
LVL 29

Accepted Solution

by:
leonstryker earned 100 total points
ID: 9908207
Tim,

Yes, the executable can be cracked and the password exrtacted.  Then I made the statement above, I was refering to the stream sent from the application/driver to the database.

I am not aware of any tool which can be used to encrypt source code in an executable.

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9908493
What you should consider doing, is keeping the connection string outside the executable in a separate file.  What file can be encrypted.  Your application would access this file retrieve the connection string and decrypt it.

Leon
0
 

Author Comment

by:joex
ID: 9911727
Leon,

    This thread has been completely unhelpful.   The answer was accepted just to end it.  

    FYI - the question is whether the password in the byte stream sent to Oracle is encrypted.   Note that if a text password is detectable in an executable then it is also detectable in a byte stream (sent by ODBC).

    If anyone is interested in answering this question, please do so, and the points will be given to you.

Tim



0
 

Author Comment

by:joex
ID: 10065008
The following is a valid answer to this question:

According to the Oracle on-line documentation (at
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c23acces.htm#CNCPT323)

under the User Authentication heading:

      "To prevent unauthorized use of a database username, Oracle provides
user validation through several different methods
      for normal database users. You can perform authentication by:

            The operating system
            A network service
            The associated Oracle database
            The Oracle database of a middle-tier application that performs
transactions on behalf of the user
            The Secure Socket Layer (SSL) protocol

      For simplicity, one method is usually used to authenticate all users
of a database. However, Oracle allows use of all methods
      within the same database instance.

      Oracle also encrypts passwords during transmission to ensure the
security of network authentication.

      Oracle requires special authentication procedures for database
administrators, because they perform special database operations."
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction In a recent article (http://www.experts-exchange.com/A_7811-A-Better-Concatenate-Function.html) for the Excel community, I showed an improved version of the Excel Concatenate() function.  While writing that article I realized that no o…
Article by: Martin
Here are a few simple, working, games that you can use as-is or as the basis for your own games. Tic-Tac-Toe This is one of the simplest of all games.   The game allows for a choice of who goes first and keeps track of the number of wins for…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now