Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "SQLGotcha is on freshmeat"] [Next entry: "A good description of some of the Oracle default accounts"]

A good paper on Oracle's random number generator

I found an interesting paper last week on DBA Support about Oracle's random number generator. This is a package that can find uses in security or in cryptography. The paper is written by Steve Callan and is titled "Unwrapping Oracle's DBMS Packages: Understanding Oracle's Random Number Generator". The paper starts by confirming that the random number generator package DBMS_RANDOM should not be used to generate cryptographic keys as it is unsuitable. The paper then goes on to discuss why in detail. Steve gives some great examples and analysis. Page two of the paper talks about the installation scripts and then goes on to talk about the DBMS_RANDOM.STRING function with the 'P' option to generate cryptograms and even passwords. Steve closes by saying that he hopes to have surfaced some new features of the DBMS_RANDOM package and also given some insight into the numbers produced by this package.

This is a great paper and well worth reading.