Solved

veriify_passwrd

Posted on 2009-05-06
11
303 Views
Last Modified: 2013-12-26
I have a PB app where user enters userid/password. IT calls an oracle server function that returns 1 if userid/password is good and 0 if it is not . PB then letst he user in or blocks it.

Does this mean that PB is sending the passowrd in text form or hashed to the server over the network. passwords in DB are hashed. The server procedure has the hashing function that compares the hashed DB password to the hashed text entered.

2. if it getting transmitted in text how we get it to send hashed or encrypted. We still want to keep authentication done by this server function.

0
Comment
Question by:sam15
  • 6
  • 3
  • 2
11 Comments
 
LVL 14

Assisted Solution

by:sandeep_patel
sandeep_patel earned 200 total points
ID: 24320919
put a messagebox in your code just before passing the password variable to oracle function and you will know the format.

e.g
messagebox('',ls_pwd)
oracle_function(ls_user,ls_pwd)

Regards,
Sandeep
0
 

Author Comment

by:sam15
ID: 24321044
I did not quite understand that. What doesthe messagebox do?
For example if you enter "SCOTT/SECRET" on the PB screen and hit login. The client runs this oracle function
my_var := autheticate_user('scott','secret')

Is scott/secret  getting sent to oracle over the network.

0
 
LVL 14

Expert Comment

by:sandeep_patel
ID: 24321118
yes... what you mean by passwords are hashed in db?

Does your oracle function do any decryption or it compares the password value as it is?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:sam15
ID: 24321216
hased is one-way encryption. We can't decrypt the stored password in DB back to text.
The oracle function hashes the user entered password and then compares the hash value against the value stored in the database  table for that user and determines if it is valid.
0
 
LVL 18

Expert Comment

by:diasroshan
ID: 24323717
Hi,

This is wat i understood from ur comments above,
The user keys in his password as say 'SECRET'
The password in the database is hashed, say '#$@^#%'

So, 'SECRET' is passed over the network to the DB and ur oracle server function converts this to '#$@^#%' and compares it with the hash value stored as password.

Now, what u want is NOT to send the password as text ('SECRET')

Check the below link to encrypt and decrypt strings,
http://www.rgagnon.com/pbdetails/pb-0135.html

What u can do is encrypt ur password and send it to ur DB using below Powerbuilder function,
[function string of_encrypt(as_str)]
integer i, j
string ls_enctext = ""
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)
FOR i = 1 TO j
    ls_enctext += mid(CRYPT_KEY , mod(i,10) + 1, 1)
    ls_enctext += String(Char(255 - Asc(Mid(as_str, i, 1))))
NEXT

RETURN ls_enctext
//Code ends here

Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL)

And, once the password is decrypted, it will now be in text 'SECRET'
then u can continue with ur remaining function of hashing this text password and compare with the hash value.

So wat u need, is a PB function to encrypt the string and enhacement to ur existing oracle function to first decrypt the string and then continue with the existing code of hash encrypting and comparing.

Cheers,
Rosh
0
 

Author Comment

by:sam15
ID: 24327337
<<Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL) >>

How will you run that PB function on the oracle server to decrypt the encrypted password.
 That is a PB client function running on he user PC and not on the server?

The oracle also has its own hash algorithm.
0
 
LVL 14

Expert Comment

by:sandeep_patel
ID: 24331345
rosh said "Ofcourse u have to modify the code to PL/SQL", it means you have to rewrite this algorithm in sql

regards,
Sandeep
0
 

Author Comment

by:sam15
ID: 24332762
that becomes complicated. oracle and PB had to use same encryption/decryption algorithm and key. It needs some work.
0
 
LVL 18

Accepted Solution

by:
diasroshan earned 300 total points
ID: 24346992
Hi,

i see absolutely no complication to meet ur requirement,
All the effort u need is to convert the below PB Function algorithm and rewrite it in Oracle PL/SQL syntax,
[function  string of_decrypt(as_str)]
integer i, j
string ls_encchar, ls_temp, ls_unasstr = "** Encryption Error"
boolean lb_ok = true
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)

IF NOT Mod(j, 2) = 1 THEN
   ls_temp = ""
   FOR i = 2 TO (j + 1) STEP 2
      ls_encchar = Mid(as_str, i - 1, 1)
      IF mid(CRYPT_KEY, Mod(i / 2, 10) + 1, 1) <> ls_encchar THEN
        lb_ok = FALSE
        EXIT
      END IF    
      ls_encchar = Mid(as_str, i, 1)
      ls_temp += string(char(255 - asc(ls_encchar)))
   NEXT
END IF

IF lb_ok THEN ls_unasstr = ls_temp

RETURN LS_UNASSTR

Create an Oracle Function of the above algorithm, and call this function first in ur original oracle function to decrypt the encrypted password sent by the front end PB application.

Cheers,
Rosh
0
 

Author Comment

by:sam15
ID: 24349041
so your idea is to write the encryption/decryption algorithm in the code instead of using the API provided by each since those may work differently due to the number of algorithms there.
0
 

Author Comment

by:sam15
ID: 24349048
Does PB have something similar to SSL in WEB applications. SSL takes care of the encryption/decryption od data between browser client and web server. Is there something for PB or that falls under Oracle NET*8 communications. That would encypt all the data communications.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to install Selenium IDE and loops for quick automated testing. Get Selenium IDE from http://seleniumhq.org Go to that link and select download selenium in the right hand columnThat will then direct you to their download page.From that page s…
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question