[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

veriify_passwrd

I have a PB app where user enters userid/password. IT calls an oracle server function that returns 1 if userid/password is good and 0 if it is not . PB then letst he user in or blocks it.

Does this mean that PB is sending the passowrd in text form or hashed to the server over the network. passwords in DB are hashed. The server procedure has the hashing function that compares the hashed DB password to the hashed text entered.

2. if it getting transmitted in text how we get it to send hashed or encrypted. We still want to keep authentication done by this server function.

0
sam15
Asked:
sam15
  • 6
  • 3
  • 2
2 Solutions
 
sandeep_patelCommented:
put a messagebox in your code just before passing the password variable to oracle function and you will know the format.

e.g
messagebox('',ls_pwd)
oracle_function(ls_user,ls_pwd)

Regards,
Sandeep
0
 
sam15Author Commented:
I did not quite understand that. What doesthe messagebox do?
For example if you enter "SCOTT/SECRET" on the PB screen and hit login. The client runs this oracle function
my_var := autheticate_user('scott','secret')

Is scott/secret  getting sent to oracle over the network.

0
 
sandeep_patelCommented:
yes... what you mean by passwords are hashed in db?

Does your oracle function do any decryption or it compares the password value as it is?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
sam15Author Commented:
hased is one-way encryption. We can't decrypt the stored password in DB back to text.
The oracle function hashes the user entered password and then compares the hash value against the value stored in the database  table for that user and determines if it is valid.
0
 
diasroshanCommented:
Hi,

This is wat i understood from ur comments above,
The user keys in his password as say 'SECRET'
The password in the database is hashed, say '#$@^#%'

So, 'SECRET' is passed over the network to the DB and ur oracle server function converts this to '#$@^#%' and compares it with the hash value stored as password.

Now, what u want is NOT to send the password as text ('SECRET')

Check the below link to encrypt and decrypt strings,
http://www.rgagnon.com/pbdetails/pb-0135.html

What u can do is encrypt ur password and send it to ur DB using below Powerbuilder function,
[function string of_encrypt(as_str)]
integer i, j
string ls_enctext = ""
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)
FOR i = 1 TO j
    ls_enctext += mid(CRYPT_KEY , mod(i,10) + 1, 1)
    ls_enctext += String(Char(255 - Asc(Mid(as_str, i, 1))))
NEXT

RETURN ls_enctext
//Code ends here

Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL)

And, once the password is decrypted, it will now be in text 'SECRET'
then u can continue with ur remaining function of hashing this text password and compare with the hash value.

So wat u need, is a PB function to encrypt the string and enhacement to ur existing oracle function to first decrypt the string and then continue with the existing code of hash encrypting and comparing.

Cheers,
Rosh
0
 
sam15Author Commented:
<<Once, the encrypted password reaches the oracle function, decrypt it using the  powerbuilder function algorithm in the link (Ofcourse u have to modify the code to PL/SQL) >>

How will you run that PB function on the oracle server to decrypt the encrypted password.
 That is a PB client function running on he user PC and not on the server?

The oracle also has its own hash algorithm.
0
 
sandeep_patelCommented:
rosh said "Ofcourse u have to modify the code to PL/SQL", it means you have to rewrite this algorithm in sql

regards,
Sandeep
0
 
sam15Author Commented:
that becomes complicated. oracle and PB had to use same encryption/decryption algorithm and key. It needs some work.
0
 
diasroshanCommented:
Hi,

i see absolutely no complication to meet ur requirement,
All the effort u need is to convert the below PB Function algorithm and rewrite it in Oracle PL/SQL syntax,
[function  string of_decrypt(as_str)]
integer i, j
string ls_encchar, ls_temp, ls_unasstr = "** Encryption Error"
boolean lb_ok = true
CONSTANT string CRYPT_KEY = "$#@%&#%@&*"

j = len(as_str)

IF NOT Mod(j, 2) = 1 THEN
   ls_temp = ""
   FOR i = 2 TO (j + 1) STEP 2
      ls_encchar = Mid(as_str, i - 1, 1)
      IF mid(CRYPT_KEY, Mod(i / 2, 10) + 1, 1) <> ls_encchar THEN
        lb_ok = FALSE
        EXIT
      END IF    
      ls_encchar = Mid(as_str, i, 1)
      ls_temp += string(char(255 - asc(ls_encchar)))
   NEXT
END IF

IF lb_ok THEN ls_unasstr = ls_temp

RETURN LS_UNASSTR

Create an Oracle Function of the above algorithm, and call this function first in ur original oracle function to decrypt the encrypted password sent by the front end PB application.

Cheers,
Rosh
0
 
sam15Author Commented:
so your idea is to write the encryption/decryption algorithm in the code instead of using the API provided by each since those may work differently due to the number of algorithms there.
0
 
sam15Author Commented:
Does PB have something similar to SSL in WEB applications. SSL takes care of the encryption/decryption od data between browser client and web server. Is there something for PB or that falls under Oracle NET*8 communications. That would encypt all the data communications.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 6
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now