Solved

Oracle DB - encrypt password via ODBC?

Posted on 2003-12-09
14
1,810 Views
Last Modified: 2013-12-25
From a VB application, using ODBC to connect to an Oracle DB, is it possible to encrypt the password using ADO, RDS?  How does a direct connection work?

Thanks

Tim
0
Comment
Question by:joex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907235
Normally your connectionstring is compiled with the rest of the code into an exe, so it does not need to be encrypted.  Where, or to what, do you wish to apply your encryption.

Leon
0
 

Author Comment

by:joex
ID: 9907349
Please confirm/correct the following:

   When the ADO DB connect request is sent to Oracle, the password is not encrypted.

Thanks,

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907387
Tim,

Are you concerned about someone intercepting the connection string during the connection request from the application to the database?  Is this a web based application?

Leon
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 

Author Comment

by:joex
ID: 9907419
Leon,

   Yes, the concern is that someone might intercept the connection string.

    It is not a web-based application.  A VB application accesses an Oracle DB across a network.

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907497
Tim,

You will need to handle such security issues on your network and in the database.  The OLEDB & ODBC drivers send the connection strings to the database in a certain format.  You can not change it and have it re-translated back by the database.  

If someone is capturing your connection string between the application and the database, you got serious problems.

Leon
0
 

Author Comment

by:joex
ID: 9907543
Leon,

     Do the OLEDB and ODBC Drivers encrypt the password ?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907600
No, it is the same for the entire connection string.  In a way it is encrypted since you are dealing with packets and protocols on that level.

Leon
0
 

Author Comment

by:joex
ID: 9907763
Leon,

    Before accepting your answers do you know:

       Whether RDS provides any encryption capability?

       Does direct connect provide any encryption capability?

Tim
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9907906
Tim,

Just to make sure you understand, what actually communicates with the database is the driver you are using not the application.  The applicaiton is communicating with the driver.

Application --> Driver --> Database

The return trip is the same:

Database --> Driver --> Application

There is really nothing to encrypt here since you are not dealing with any texts.

Leon
0
 

Author Comment

by:joex
ID: 9908157
Leon,

    Text that is hard-coded in a VB application can be read in the resulting executable.  Therefore it is not clear why you ask the following question.

       There is really nothing to encrypt here since you are not dealing with any texts.

Tim

0
 
LVL 29

Accepted Solution

by:
leonstryker earned 100 total points
ID: 9908207
Tim,

Yes, the executable can be cracked and the password exrtacted.  Then I made the statement above, I was refering to the stream sent from the application/driver to the database.

I am not aware of any tool which can be used to encrypt source code in an executable.

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 9908493
What you should consider doing, is keeping the connection string outside the executable in a separate file.  What file can be encrypted.  Your application would access this file retrieve the connection string and decrypt it.

Leon
0
 

Author Comment

by:joex
ID: 9911727
Leon,

    This thread has been completely unhelpful.   The answer was accepted just to end it.  

    FYI - the question is whether the password in the byte stream sent to Oracle is encrypted.   Note that if a text password is detectable in an executable then it is also detectable in a byte stream (sent by ODBC).

    If anyone is interested in answering this question, please do so, and the points will be given to you.

Tim



0
 

Author Comment

by:joex
ID: 10065008
The following is a valid answer to this question:

According to the Oracle on-line documentation (at
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c23acces.htm#CNCPT323)

under the User Authentication heading:

      "To prevent unauthorized use of a database username, Oracle provides
user validation through several different methods
      for normal database users. You can perform authentication by:

            The operating system
            A network service
            The associated Oracle database
            The Oracle database of a middle-tier application that performs
transactions on behalf of the user
            The Secure Socket Layer (SSL) protocol

      For simplicity, one method is usually used to authenticate all users
of a database. However, Oracle allows use of all methods
      within the same database instance.

      Oracle also encrypts passwords during transmission to ensure the
security of network authentication.

      Oracle requires special authentication procedures for database
administrators, because they perform special database operations."
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever wanted to restrict the users input in a textbox to numbers, and while doing that make sure that they can't 'cheat' by pasting in non-numeric text? Of course you can do that with code you write yourself but it's tedious and error-prone …
Most everyone who has done any programming in VB6 knows that you can do something in code like Debug.Print MyVar and that when the program runs from the IDE, the value of MyVar will be displayed in the Immediate Window. Less well known is Debug.Asse…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question