The hash has never been passed over the wire - I describe in detail how authentication works in the Oracle Hacker's Handbook in Chapter 4. Here's an online copy: http://books.google.com.au/books?id=cDy2_QoQplEC&lpg=PA43&ots=5tygnUMzKQ&dq=oracle%20authentication%20process%20litchfield&pg=PA43#v=onepage&q=oracle%20authentication%20process%20litchfield&f=false
HTH, David-----Original Message----- From: Nuno Souto
Sent: Saturday, January 18, 2014 4:28 AM Cc: oracle-l-freelists Subject: Re: Question re security On 17/01/2014 8:19 PM, Fergal Taheny wrote:
This is something I have wondered about. The oracle passwords are envcrypted during transmission by default with standard sqlnet setup. I checked this with a packet sniffer once to confirm this but I have wondered if this encryption is reliable. No pre-sharing of any keys has to be done before a client can connect to a db. So as part of the authentication does the server send the client a key which the client uses to encrypt the password? If this is the case the isn't this open to a man in the middle attack?Would be interested to hear people opinions on this.
Not sure about that. In 9ir2, I could use one of the standard sniffers included in Suse Linux to fish out all Oracle pwds at login time on 1521. Haven't tried since then, so things might have changed. Used to be that the pwd was sent as is, and then encrypted after reaching the target server to be compared with the saved encrypted one in sys.user$. Likely not anymore, but I'd also appreciate confirmation of that. -- Cheers Nuno Souto dbvision@xxxxxxxxxxxx -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l