Forum > Databases

Autentication Oracle [without solution]

(1/4) > >>

CapitaoVirgulinoFerreira:
I have an application that fetches information from a database that is not mine.
I have access to this database as an administrator (Oracle).

However, I would like to authenticate access to my application using the same LOGIN and PASSWORD for this database.
Analyzing the table, I saw that the database has 2 fields referring to the password.
Example:

SELECT * FROM USUARIOS


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---IDUSER  USERNAME  PASSWD01                    PASSWD025555     MYUSER  CC4A064DD77CA8E    lXxHd194tGeUCJvry8a5G+ 
Is there any way to perform this authentication?

MarkMLl:
Please bear in mind that Oracle expertise is a relative rarity in the open/free software community, and I claim to be no better than average. However, the two strings that you have found in your database


--- Code: ---IDUSER  USERNAME  PASSWD01                    PASSWD02
5555     MYUSER  CC4A064DD77CA8E    lXxHd194tGeUCJvry8a5G+

--- End code ---

look like a hash of an actual password, with the first being around 15x4=60 bits and the second tentatively 21x5=105 bits.

I would be surprised if the overall algorithm were particularly good, but the brutal reality is that to find a password that corresponds to MYUSER is probably going to be difficult. I'm carefully not saying impossible, because if you had access to either the executable binary or to the program that generates application-specific keywords you could probably reverse-engineer the algorithm.

MarkMLl

CapitaoVirgulinoFerreira:
(Português, Brasil).

O Software ao qual pertence esse banco de dados é de uma empresa de grande porte.
Não tenho como obter essa informação do código fonte.

MarkMLl, agradeço a sua colaboração.

Thaddy:
As Mark wrote it is indeed a secure one way Hash and that is also the correct way to store a password. It should be impossible to retrieve the password from the hash.
How it should be used on Password entry is to use the same hash algorithm on he entered password and compare that hash to the stored hash. If they are equal the password is valid. IIRC Oracle supports several secure hashes, so examine the documentation to find out the default. It may be in the meta data. Frankly I expect it to be in the meta data.

For example in Oracle 12c the default is a PBKDF2 based sha512 hash. 
This is the same as used in HMAC 512.
Older versions used sha1 and really old versions MD5 or even DES3. This is as per the Oracle documentation of version 12c.
A few other remarks
1.the hash is intentionally deoptimized to prevent timing and brute force attacks, so when handling passwords complete boolean evaluation should be ON in your Pascal hash code and the hash is applied multiple times. This is not always the case with the available FPC hash libraries.
2.the hash type is indeed stored in the meta data.
3. the hash may be only partially stored
4. backwards compatibility is provided in Oracles hashlib
5. in fact it should be transparant. Oracle client and server handle this
6. But it is possible to create the same hash in Pascal.

So my question is what version of Oracle are you using...

MarkMLl:
Those very short hashes suggest that they might not have been generated by Oracle itself,but by application code. As such they might be somewhat weaker than expected.

MarkMLl

Navigation

[0] Message Index

[#] Next page

Go to full version