Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does the Oracle JDBC client encrypt password when you make a connection?

Tags:

oracle

jdbc

When you use the Oracle JDBC client library to make an Oracle connection, is the password or the security-handshake encrypted by default? (Want to know if there is a risk that the password can be sniffed over the wire when making a connection using the Oracle JDBC client library)

like image 505
BestPractices Avatar asked Sep 05 '12 15:09

BestPractices

1 Answers

The password is always encrypted when in transit over the network.

That is not to say that it is impervious to attack. If an attacker can obtain the hash of a user's password and they can monitor network traffic between a legitimate client and the database, then it is possible to obtain the plain-text password.

For the curious, here is a summary of the authentication process across various versions of the Oracle database software. The steps dealing with the transit of the encrypted password are in bold. It is not entirely intuitive which version of the authentication protocol is being used by the JDBC driver because it doesn't always match its advertised version. This is because the client can negotiate which protocol it wishes to use. For example, the 11g JDBC driver may not necessarily use the 11g authentication protocol when connecting to an 11g database (it may fall back to the 10g authentication protocol). I forget which drivers use which protocols.

Authentication protocol in Oracle Database 8

  1. The client requests a server session key for a particular user.
  2. The server generates a server session key.
  3. The server encrypts the server session key using the requested user's password hash as the secret key.
  4. The server transmits the encrypted server session key to the client.
  5. The client decrypts the encrypted server session key using the user's password hash as the secret key.
  6. The client encrypts the user's password using the server session key as the secret key. (proprietary algorithm based on DES)
  7. The client transmits the encrypted password to the server.
  8. The server decrypts the encrypted password using its server session key as the secret key.
  9. The server computes the hash of the decrypted password.
  10. If the computed password hash (from step 9) matches the copy stored on the server, then the user has provided the correct password.

Authentication protocol in Oracle Database 9i

  1. The client requests a server session key for a particular user.
  2. The server generates a server session key.
  3. The server encrypts the server session key using the requested user's password hash as the secret key.
  4. The server transmits the encrypted server session key to the client.
  5. The client decrypts the encrypted server session key using the user's password hash as the secret key.
  6. The client encrypts the user's password using the server session key as the secret key. (proprietary algorithm based on DES)
  7. The client transmits the encrypted password to the server.
  8. The server decrypts the encrypted password using its server session key as the secret key.
  9. The server computes the hash of the decrypted password.
  10. If the computed password hash (from step 9) matches the copy stored on the server, then the user has provided the correct password.

Authentication protocol in Oracle Database 10g

  1. The client requests a session key from the server, specifying which user it wishes to connect as.
  2. The server generates a server session key.
  3. The server encrypts the server session key using the requested user's password hash as the secret key.
  4. The server transmits the encrypted server session key to the client.
  5. The client decrypts the encrypted server session key using the requested user's password hash as the secret key.
  6. The client generates a client session key.
  7. The client combines the client session key with the server session key.
  8. The client salts the user's password.
  9. The client encrypts the user's salted password using the combined session keys (from step 7) as its secret key. (AES-128)
  10. The client encrypts the client session key using the user's password hash as the secret key.
  11. The client transmits the encrypted client session key and the encrypted, salted user password to the server.
  12. The server decrypts the encrypted client session key using the requested user's password hash.
  13. The server combines the client session key with its server session key.
  14. The server decrypts the encrypted, salted password using the combined session keys (from step 13) as the secret key.
  15. The server un-salts the salted password.
  16. The server hashes the decrypted password.
  17. The server compares the computed password hash (from step 16) with the stored password hash. If they are equal, the user has provided the correct password.

Authentication protocol in Oracle Database 11g

  1. The client requests a session key from the server, specifying which user it wishes to connect as.
  2. The server generates a server session key.
  3. The server generates verifier data.
  4. The server encrypts the server session key using the requested user's password hash as the secret key.
  5. The server transmits the encrypted server session key ("AUTH_SESSKEY") and the verifier data ("AUTH_VFR_DATA") to the client.
  6. The client hashes the user's password using the verifier data as the salt.
  7. The client decrypts the encrypted server session key using the user's password hash as the secret key.
  8. The client generates a client session key.
  9. The client combines the client session key with the server session key.
  10. The client salts the user's password.
  11. The client encrypts the user's salted password using the combined session keys (from step 9) as its secret key. (AES-192)
  12. The client encrypts the client session key using the user's password hash as the secret key.
  13. The client transmits the encrypted client session key and the encrypted, salted user password to the server.
  14. The server decrypts the encrypted client session key using the requested user's password hash.
  15. The server combines the client session key with its server session key.
  16. The server decrypts the encrypted, salted password using the combined session keys (from step 15) as the secret key.
  17. The server un-salts the salted password.
  18. The server hashes the decrypted password.
  19. The server compares the computed password hash (from step 18) with the stored password hash. If they are equal, the user has provided the correct password.
like image 135
Adam Paynter Avatar answered Oct 02 '22 16:10

Adam Paynter
Sign in to Comment

Related questions

How to write a for loop in Oracle sqlplus?
Update Oracle timestamp to current date
Oracle Sql developer error: could not install some modules
Why do I get an open transaction when just selecting from a database View?
How do I get the return value from a function in Oracle using Toad
How to get two return value from Oracle Stored Procedure
Change separator of WM_CONCAT function of Oracle 11gR2
oracle sql - select statement with multiple "case when" and check for contains text
"access denied" when installing Oracle Data Provider for entity framework
Connecting to a remote Oracle DB with Nodejs through Oracledb Driver
Issue in installing oracle 18cxe on ubuntu 18.04
ORA-01460: unimplemented or unreasonable conversion requested
ORA 00904 Error:Invalid Identifier
Sql Insert statement return "zero/no rows inserted"
Why Mysql's Group By and Oracle's Group by behaviours are different
Oracle Advanced Queueing with .Net
Prevent error when dropping not existing sequences, creating existing users
Oracle dynamic DESC and ASC in order by
SQL Decode Null Values
Tricky Quartz.NET Scenario

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!