Re: Question re security
- From: Nuno Souto <dbvision@xxxxxxxxxxxx>
- Date: Tue, 21 Jan 2014 22:52:11 +1100
Thanks a lot for the detail, David.
Very interesting that the password is not sent as clear text by default
anymore.
Excellent stuff. I'll definitely keep it in mind.
--
Cheers
Nuno Souto
dbvision@xxxxxxxxxxxx
On 21/01/2014 1:32 PM, david@xxxxxxxxxxxxxxxxxxxx wrote:
Here you go:
The server takes the supplied username and checks if it is a valid
user. If it is not the server sends a "login denied" error to the
client. We'll come back to this shortly. If the username does exist
then the server extracts the user's password hash from the database.
The server uses this hash to create a secret number. The secret number
is created as follows: the server calls the slgdt() function in the
orageneric library. This function essentially gets the system time.
The minutes, hours, milliseconds and second, all stored as a WORD, are
joined to form the 8 bytes of "text" to be encrypted. The first 4
bytes of the key to be used in the encryption is the minutes and hours
xored with the last four bytes of the user's hex password hash; the
last four bytes of the key are made up from the milliseconds and the
seconds xored with the first 4 bytes of the user's hex password hash.
This key is used to encrypt the text by calling the kzsrenc() function
in the oracommon library. This function basically performs DES key
scheduling using the lncgks() function and then uses the lncecb()
function to output the cipher text using DES in ECB mode.
...
--
//www.freelists.org/webpage/oracle-l
Other related posts:
