[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

veriify_passwrd

Posted on 2009-05-06
11
Medium Priority
?
316 Views
Last Modified: 2013-12-26
I have a PB app where user enters userid/password. IT calls an oracle server function that returns 1 if userid/password is good and 0 if it is not . PB then letst he user in or blocks it.

Does this mean that PB is sending the passowrd in text form or hashed to the server over the network. passwords in DB are hashed. The server procedure has the hashing function that compares the hashed DB password to the hashed text entered.

2. if it getting transmitted in text how we get it to send hashed or encrypted. We still want to keep authentication done by this server function.

0
Comment
Question by:sam15
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 14

Assisted Solution

by:sandeep_patel
sandeep_patel earned 800 total points
ID: 24320919
put a messagebox in your code just before passing the password variable to oracle function and you will know the format.

e.g
messagebox('',ls_pwd)
oracle_function(ls_user,ls_pwd)

Regards,
Sandeep
0
 

Author Comment

by:sam15
ID: 24321044
I did not quite understand that. What doesthe messagebox do?
For example if you enter "SCOTT/SECRET" on the PB screen and hit login. The client runs this oracle function
my_var := autheticate_user('scott','secret')

Is scott/secret  getting sent to oracle over the network.

0
 
LVL 14

Expert Comment

by:sandeep_patel
ID: 24321118
yes... what you mean by passwords are hashed in db?

Does your oracle function do any decryption or it compares the password value as it is?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:sam15
ID: 24321216
hased is one-way encryption. We can't decrypt the stored password in DB back to text.
The oracle function hashes the user entered password and then compares the hash value against the value stored in the database  table for that user and determines if it is valid.
0
 
LVL 18

Expert Comment

by:diasroshan
ID: 24323717
Hi,

This is wat i understood from ur comments above,
The user keys in his password as say 'SECRET'
The password in the database is hashed, say '#$@^#%'

So, 'SECRET' is passed over the network to the DB and ur oracle server function converts this to '#$@^#%' and compares it with the hash value stored as password.

Now, what u want is NOT to send the password as text ('SECRET')

Check the below link to encrypt and decrypt strings,
http://www.rgagnon.com/pbdetails/pb-0135.html

What u can do is encrypt ur password and send it to ur DB using below Powerbuilder function,
[function string of_encrypt(as_str)]
integer i, j
string ls_enctext = ""
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)
FOR i = 1 TO j
    ls_enctext += mid(CRYPT_KEY , mod(i,10) + 1, 1)
    ls_enctext += String(Char(255 - Asc(Mid(as_str, i, 1))))
NEXT

RETURN ls_enctext
//Code ends here

Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL)

And, once the password is decrypted, it will now be in text 'SECRET'
then u can continue with ur remaining function of hashing this text password and compare with the hash value.

So wat u need, is a PB function to encrypt the string and enhacement to ur existing oracle function to first decrypt the string and then continue with the existing code of hash encrypting and comparing.

Cheers,
Rosh
0
 

Author Comment

by:sam15
ID: 24327337
<<Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL) >>

How will you run that PB function on the oracle server to decrypt the encrypted password.
 That is a PB client function running on he user PC and not on the server?

The oracle also has its own hash algorithm.
0
 
LVL 14

Expert Comment

by:sandeep_patel
ID: 24331345
rosh said "Ofcourse u have to modify the code to PL/SQL", it means you have to rewrite this algorithm in sql

regards,
Sandeep
0
 

Author Comment

by:sam15
ID: 24332762
that becomes complicated. oracle and PB had to use same encryption/decryption algorithm and key. It needs some work.
0
 
LVL 18

Accepted Solution

by:
diasroshan earned 1200 total points
ID: 24346992
Hi,

i see absolutely no complication to meet ur requirement,
All the effort u need is to convert the below PB Function algorithm and rewrite it in Oracle PL/SQL syntax,
[function  string of_decrypt(as_str)]
integer i, j
string ls_encchar, ls_temp, ls_unasstr = "** Encryption Error"
boolean lb_ok = true
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)

IF NOT Mod(j, 2) = 1 THEN
   ls_temp = ""
   FOR i = 2 TO (j + 1) STEP 2
      ls_encchar = Mid(as_str, i - 1, 1)
      IF mid(CRYPT_KEY, Mod(i / 2, 10) + 1, 1) <> ls_encchar THEN
        lb_ok = FALSE
        EXIT
      END IF    
      ls_encchar = Mid(as_str, i, 1)
      ls_temp += string(char(255 - asc(ls_encchar)))
   NEXT
END IF

IF lb_ok THEN ls_unasstr = ls_temp

RETURN LS_UNASSTR

Create an Oracle Function of the above algorithm, and call this function first in ur original oracle function to decrypt the encrypted password sent by the front end PB application.

Cheers,
Rosh
0
 

Author Comment

by:sam15
ID: 24349041
so your idea is to write the encryption/decryption algorithm in the code instead of using the API provided by each since those may work differently due to the number of algorithms there.
0
 

Author Comment

by:sam15
ID: 24349048
Does PB have something similar to SSL in WEB applications. SSL takes care of the encryption/decryption od data between browser client and web server. Is there something for PB or that falls under Oracle NET*8 communications. That would encypt all the data communications.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…
THe viewer will learn how to use NetBeans IDE 8.0 for Windows to perform CRUD operations on a MySql database.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question