Solved

veriify_passwrd

Posted on 2009-05-06
11
299 Views
Last Modified: 2013-12-26
I have a PB app where user enters userid/password. IT calls an oracle server function that returns 1 if userid/password is good and 0 if it is not . PB then letst he user in or blocks it.

Does this mean that PB is sending the passowrd in text form or hashed to the server over the network. passwords in DB are hashed. The server procedure has the hashing function that compares the hashed DB password to the hashed text entered.

2. if it getting transmitted in text how we get it to send hashed or encrypted. We still want to keep authentication done by this server function.

0
Comment
Question by:sam15
  • 6
  • 3
  • 2
11 Comments
 
LVL 14

Assisted Solution

by:sandeep_patel
sandeep_patel earned 200 total points
ID: 24320919
put a messagebox in your code just before passing the password variable to oracle function and you will know the format.

e.g
messagebox('',ls_pwd)
oracle_function(ls_user,ls_pwd)

Regards,
Sandeep
0
 

Author Comment

by:sam15
ID: 24321044
I did not quite understand that. What doesthe messagebox do?
For example if you enter "SCOTT/SECRET" on the PB screen and hit login. The client runs this oracle function
my_var := autheticate_user('scott','secret')

Is scott/secret  getting sent to oracle over the network.

0
 
LVL 14

Expert Comment

by:sandeep_patel
ID: 24321118
yes... what you mean by passwords are hashed in db?

Does your oracle function do any decryption or it compares the password value as it is?
0
 

Author Comment

by:sam15
ID: 24321216
hased is one-way encryption. We can't decrypt the stored password in DB back to text.
The oracle function hashes the user entered password and then compares the hash value against the value stored in the database  table for that user and determines if it is valid.
0
 
LVL 18

Expert Comment

by:diasroshan
ID: 24323717
Hi,

This is wat i understood from ur comments above,
The user keys in his password as say 'SECRET'
The password in the database is hashed, say '#$@^#%'

So, 'SECRET' is passed over the network to the DB and ur oracle server function converts this to '#$@^#%' and compares it with the hash value stored as password.

Now, what u want is NOT to send the password as text ('SECRET')

Check the below link to encrypt and decrypt strings,
http://www.rgagnon.com/pbdetails/pb-0135.html

What u can do is encrypt ur password and send it to ur DB using below Powerbuilder function,
[function string of_encrypt(as_str)]
integer i, j
string ls_enctext = ""
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)
FOR i = 1 TO j
    ls_enctext += mid(CRYPT_KEY , mod(i,10) + 1, 1)
    ls_enctext += String(Char(255 - Asc(Mid(as_str, i, 1))))
NEXT

RETURN ls_enctext
//Code ends here

Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL)

And, once the password is decrypted, it will now be in text 'SECRET'
then u can continue with ur remaining function of hashing this text password and compare with the hash value.

So wat u need, is a PB function to encrypt the string and enhacement to ur existing oracle function to first decrypt the string and then continue with the existing code of hash encrypting and comparing.

Cheers,
Rosh
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:sam15
ID: 24327337
<<Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL) >>

How will you run that PB function on the oracle server to decrypt the encrypted password.
 That is a PB client function running on he user PC and not on the server?

The oracle also has its own hash algorithm.
0
 
LVL 14

Expert Comment

by:sandeep_patel
ID: 24331345
rosh said "Ofcourse u have to modify the code to PL/SQL", it means you have to rewrite this algorithm in sql

regards,
Sandeep
0
 

Author Comment

by:sam15
ID: 24332762
that becomes complicated. oracle and PB had to use same encryption/decryption algorithm and key. It needs some work.
0
 
LVL 18

Accepted Solution

by:
diasroshan earned 300 total points
ID: 24346992
Hi,

i see absolutely no complication to meet ur requirement,
All the effort u need is to convert the below PB Function algorithm and rewrite it in Oracle PL/SQL syntax,
[function  string of_decrypt(as_str)]
integer i, j
string ls_encchar, ls_temp, ls_unasstr = "** Encryption Error"
boolean lb_ok = true
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)

IF NOT Mod(j, 2) = 1 THEN
   ls_temp = ""
   FOR i = 2 TO (j + 1) STEP 2
      ls_encchar = Mid(as_str, i - 1, 1)
      IF mid(CRYPT_KEY, Mod(i / 2, 10) + 1, 1) <> ls_encchar THEN
        lb_ok = FALSE
        EXIT
      END IF    
      ls_encchar = Mid(as_str, i, 1)
      ls_temp += string(char(255 - asc(ls_encchar)))
   NEXT
END IF

IF lb_ok THEN ls_unasstr = ls_temp

RETURN LS_UNASSTR

Create an Oracle Function of the above algorithm, and call this function first in ur original oracle function to decrypt the encrypted password sent by the front end PB application.

Cheers,
Rosh
0
 

Author Comment

by:sam15
ID: 24349041
so your idea is to write the encryption/decryption algorithm in the code instead of using the API provided by each since those may work differently due to the number of algorithms there.
0
 

Author Comment

by:sam15
ID: 24349048
Does PB have something similar to SSL in WEB applications. SSL takes care of the encryption/decryption od data between browser client and web server. Is there something for PB or that falls under Oracle NET*8 communications. That would encypt all the data communications.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Why doesn't the Oracle optimizer use my index? Querying too much data Most Oracle developers know that an index is useful when you can use it to restrict your result set to a small number of the total rows in a table. So, the obvious sideā€¦
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now