Toad World® Forums

Security encryption question


#1

Hi,

We use Toad for Oracle vs 10.6.

Is the USER and Password encrypted in flight? (between TOAD and Oracle)?

If it doesn’t default to this, is there a setting to make it happen?

Thanks.


#2

This is really more of an Oracle question. Toad just talks to OCI.dll, which is part of your Oracle Client. The Oracle client sends information back and
forth between your PC and the server. I don’t know the answer to your question.

From: klodtr [mailto:bounce-klodtr@toadworld.com]

Sent: Friday, August 16, 2013 11:52 AM

To: toadoracle@toadworld.com

Subject: [Toad for Oracle - Discussion Forum] Security encryption question

Security encryption question

Thread created by klodtr

Hi,

We use Toad for Oracle vs 10.6.

Is the USER and Password encrypted in flight? (between TOAD and Oracle)?

If it doesn’t default to this, is there a setting to make it happen?

Thanks.

To reply, please reply-all to this email.

Stop receiving emails on this subject.

Or
Unsubscribe from Toad for Oracle - General
notifications altogether.

Toad for Oracle - Discussion Forum

Flag
this post as spam/abuse.


#3

Yes – purchase Oracle Advanced Security – which is what’s required to encrypt all network traffic between Oracle client and server.

From: klodtr [mailto:bounce-klodtr@toadworld.com]

Sent: Friday, August 16, 2013 11:53 AM

To: toadoracle@toadworld.com

Subject: [Toad for Oracle - Discussion Forum] Security encryption question

Security encryption question

Thread created by klodtr

Hi,

We use Toad for Oracle vs 10.6.

Is the USER and Password encrypted in flight? (between TOAD and Oracle)?

If it doesn’t default to this, is there a setting to make it happen?

Thanks.

To reply, please reply-all to this email.

Stop receiving emails on this subject.

Or
Unsubscribe from Toad for Oracle - General
notifications altogether.

Toad for Oracle - Discussion Forum

Flag
this post as spam/abuse.


#4

On 16/08/13 17:52, klodtr wrote:

We use Toad for Oracle vs 10.6.

Is the USER and Password encrypted in flight? (between TOAD and Oracle)?
http://docs.oracle.com/cd/B12037_01/network.101/b10773/authmeth.htm#1006343
The above states the following:
Passwords are always automatically and transparently encrypted during network (client/server and server/server) connections, using a modified DES (Data Encryption Standard) or 3DES algorithm, before sending them across the network.
Tom Kyte says the following with regard to the above link:
http://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:3988464000346145060
“…the password is always encrypted when sent from client to server - regardless of what the client is - jdbc, odbc, whatever - they send the password encrypted.”
So, given that the OCI layer does the sending, I’d be pretty sure - from the docs - that the password, at least, is never sent in plain text, even from Toad or any other client.
I bet you could find out with wireshark or some other sniffer tool?
Cheers,
Norm.
– Cheers,
Norm. [TeamT]


#5

Some more information on the matter, after a quick search bookcase:
According to David Litchfield in ‘The Oracle Hacker’s Handbook’ (2007, Wiley Publishing, Inc.) the server generates a ‘secret number’ using the user’s password hash and a timestamp. This number is then encrypted using the user’s password hash and sent to the client as AUTH_SESSKEY. The client then uses the user’s password to decrypt the secret number, which is finally used to encrypt the users password (AUTH_PASSWORD) which is sent back to the server. The server decrypts the password using the secret number and tests it against the Oracle authentication.
This (the password) is the only part of the communication that is obscured. All queries sent to the server and all result sets returned pass over the wire in clear text. Thus, if you request a credit card number or a social security number or any other piece of sensitive data from the database it is passed back as plain text. This means that despite any other precautions an attacker can intercept sensitive data simply by listening to a connection involved in the communication between the client and the server.
Furthermore, the schema name, user name, and all other connection details are passed in the clear over the wire. This simplifies brute forcing attempts against the database since anyone intercepting data on the wire can collect lists of valid schemas and usernames.
Pages 46-47 and around there cover this in some details, with sniffed packets and such like. But as the above basically says, everything is plain text except the password. If you want your data etc encrypted, then you have to pay ip for the advanced security option as Bert hinted at.
HTH
– Cheers,
Norm. [TeamT]


#6

Thanks to all for your quick responses. We do have the Oracle Advanced Security. Based on your feedback, it sounds like we should be covered. However, I need to have proof for auditors. I have asked my DBAs to provide the proof.