Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> .NET and sending userid/password strings
        
(Message started by: Pete Finnigan on Sep 4th, 2007, 3:21pm)
Title: .NET and sending userid/password strings
Post by Pete Finnigan on Sep 4th, 2007, 3:21pm
Is there any way to send an encrypted password to Oracle as part of a connection string for logon w/o having to decrypt it?

I'm writing in .NET which as you know can be reverse engineered easily.   If I encrypt a password on my own to place it in the string but then decrypt it to create my connection string, I've essentially given away everything necessary to get into the database.

Is there any way around this?

I'm using Oracle 10.2 and Visual Basic via Visual Studio 2005.

Thank you.
Title: Re: .NET and sending userid/password strings
Post by Pete Finnigan on Sep 6th, 2007, 2:58am
If the .NET code cannot be obfuscated, then whatever means it uses to connect to Oracle can be discovered.
That is, even if it could connect using an encrypted version of the password, then looking at the .NET code will give the "cracker" the same ability to connect with that encrypted password.

The username/password authentication is supposed to verify that the end USER knows the password. It doesn't really help if the password is coded into the application.
You could have a logon trigger that confirms that the access is coming from an appropriate (secure) IP address.
Title: Re: .NET and sending userid/password strings
Post by Pete Finnigan on Sep 6th, 2007, 10:18am
Gary's idea about a logon trigger to check where the request is coming from is good. Also look at valid_node_checking in the sqlnet.ora file and restrict the connections that way as well. Also have a look at Oracle password repository, There isa  link in my tools page. You can use this to store an encrypted password on the OS and then access it at run time. You could access this possibly via a system() command in VB. This is jnot foolproof as someone could sniff the connection and get the password. You could then use ASO to encrypt the network connection or for free look at openssh, there are a couple of papers listed on my Oracle security white papers page, one by Roger Shragg and one I think by Jared still on how to tunnel TNS through openssh.

Also have a look at the Oracle mkstore tool that allows passwords to be encrypted in a wallet and then a slash connection to the database can be made. This is better as it allows your users to connect with slash without exposing the password, the password is not leaked in the OS, you should use valid node checking and/or a logon trigger. mkstore was added in 10gR2. I am going to talk about mkstore in my blog soon.

hth

Pete
Title: Re: .NET and sending userid/password strings
Post by Pete Finnigan on Oct 22nd, 2007, 8:02pm
Hi,

I use Oracle 10g enterprise (10.2) [DB server]
Tomcat as application server [DB client]
JDBC Thin driver to connect from Tomcat to Oracle
Everything in Linux machines.

I am trying to extract passwords from my application code so I want to use download-uk.oracle.com/docs/cd/B19306_01/java.102/b14355/clntsec.htm#CHDIJDBB]Secure External Password Store using a wallet to store usernames and passwords.

The problem is that all documentation I have found uses Thick clients (like SQLPlus) with configuration files where configure the wallet location and other options. But I am using JDBC with Thin driver so my client does not have an sqlnet.ora configuration file (for example). I must use the object properties in the Java code for configuring the wallet location and I couldn't find any example that explains that.

Another question is how to create a wallet in a machine without Oracle tools. I need mkstore to create a wallet, but my client does not have any Oracle software! It only executes Java code that must connect to Oracle, but no Oracle client is installed!
So, can I use mkstore to create a wallet in another computer and simply copy the resulting wallet files to the client computer? I need any special care when doing this (preserve file permissions, owner, etc)?

Any idea or helpful link?
Thanks.
Title: Re: .NET and sending userid/password strings
Post by Pete Finnigan on Oct 23rd, 2007, 9:00am
Hi,

Oracles wallet is a PKCS12 format which is an industry standard. You can use the Bouncy Castle provider or JCE to manipulate wallets and use them for passwords. You should check http://blog.mikesidoti.com/2007/04/opening-oracles-wallet.html for some basic ideas. The documentation for using wallets for database passwords is not good.

hth

cheers

Pete
Title: Re: .NET and sending userid/password strings
Post by Pete Finnigan on Oct 29th, 2007, 5:37pm
Thank you very much, Pete.
Your response was very helpful for me, but I have some doubts:

Can I use the method used in your link (http://blog.mikesidoti.com/2007/04/opening-oracles-wallet.html)?
Storing passwords instead of certificates is a problem?
At least can I use the Mike's method to open the wallet and then use another thing instead of the keystore api?
What is the role of Bouncycastle/JCE? Replace the keystore api for storing passwords?

Do you have any better idea to extract passwords from Java code? I don't use SSL certificates for authentication because Oracle Advanced Security in Oracle 10g do not support them in JDBC thin driver.

I hope you understand my entry-level JDBC knowledge and my poor english.

THANKS A LOT!!
Title: Re: .NET and sending userid/password strings
Post by Pete Finnigan on Aug 14th, 2008, 11:32pm
did you figure this out at all??


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board