[Oracle 12c] Oracle DB 유저의 패스워드 저장 암호화 알고리즘 변경


오라클 12c 부터 DB 유저의 패스워드 저장 알고리즘이 SHA512를 사용하게 되었습니다.

Oracle 11g 는 SHA1 11g password algorithm 을 사용 하였습니다.

https://docs.oracle.com/cd/E25054_01/network.1111/e16543/authentication.htm#CHDEFIHB

Ensuring Against Password Security Threats by Using the SHA-1 Hashing Algorithm

“The SHA-1 cryptographic hashing algorithm protects against password-based security threats by including support for mixed case characters, special characters, and multibyte characters in passwords. In addition, the SHA-1 hashing algorithm adds a salt to the password when it is hashed, which provides additional protection. This enables your users to create far more complex passwords, and therefore, makes it more difficult for an intruder to gain access to these passwords. Oracle recommends that you use the SHA-1 hashing algorithm.”

 

The procedure for generating a 11g hash

  • An 10 bytes SALT gets generated by Oracle (looks random)
  • Password (case-sensitive) and SALT (10 bytes) value become concatinated
  • A SHA1 hash gets generated for the concatinated value
  • 11g password hash becomes: “S:” plus <SHA1 hash – readable hex representation> plus <SALT – readable hex representation, 20 characters>

 

Oracle 10g 는 3DES password  algorithm 을 사용 하였습니다.

The procedure used for generating a 10g hash

  • Convert username to uppercase version of username (username sys becomes SYS)
  • Convert password to uppercase version of password (password test becomes TEST)
  • Capatilized username and password gets concatinated (username SYS with password TEST becomes SYSTEST)
  • Encrypt (using 3DES algorithm) concatinated value with a (permanent – always the same) secret key
  • Encrypt (using 3DES algorithm) concatinated value with a secret key (this key are the last 8 bytes of the first encryption)
  • The actual password hash value will be the last 8 bytes of the second encryption round, stored in a readable hex representation of these 8 bytes – so 16 characters)

Oracle 12c 테스트

https://www.trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-12c-password-hashes/

 

Oracle has made improvements to user password hashes within Oracle Database 12c. By using a PBKDF2-based SHA512 hashing algorithm, instead of simple SHA1 hash, password hashing is more secure. With this post, I’ll explain some of the changes and their security implications.

With Oracle Database 11g, the spare4 column from the sys.user$ table stores user password hashes.

This is an example of the sys.user$.spare4 entry for user ‘demo‘ with password ‘epsilon‘ (pluggable database):

S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C

Step-by-step:

SQL> create user demo identified by epsilon;
User created.
SQL> select spare4 from sys.user$ where name = 'DEMO';
SPARE4
--------------------------------------------------------------------------------
S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C

sys.user$.password value for the same user:

SQL> select password from sys.user$ where name = 'DEMO';
PASSWORD
--------------------------------------------------------------------------------
2B7983437FE9FEB6

This will omit the password value discussion: it is calculated using the same algorithm (uppercase and concatenate username and password then do 3DES hashing) as in previous Oracle Database versions.

The spare4 column’s value has three parts (“S:“, “H:“, and “T:“) separated by semicolons.

The “S:” part length is 60 characters or 30 bytes:

8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A

The “H:” part length is 32 characters or 16 bytes:

DC9894A01797D91D92ECA1DA66242209

Finally, the “T:” part length is 160 characters or 80 bytes:

23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C

So what do they mean exactly?

The S part

In Oracle Database 11g there is “S:” part and it is created as follows:

password hash (20 bytes) = sha1(password + salt (10 bytes))

(Visit http://marcel.vandewaters.nl/oracle/security/password-hashesfor more detail.)

The same is true of Oracle Database 12c: the simple test below proves that.

For the S value from above (8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A):

hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C
salt is 6271691FC55C1F56554A

Password is “epsilon“, so let’s calculate SHA1 hash from 'epsilon' + 0x6271691FC55C1F56554A:

import hashlib
sha1 = hashlib.sha1()
sha1.update("epsilon")
sha1.update('\x62\x71\x69\x1f\xc5\x5c\x1f\x56\x55\x4a')
sha1.hexdigest().upper()

That calculation produces:

8F2D65FB5547B71C8DA3760F10960428CD307B1C

This is identical to the 11g algorithm.

The H part

When looking through SQL files under $ORACLE_HOME/rdbms/admin one can spot this:

create or replace view DBA_DIGEST_VERIFIERS
  (USERNAME, HAS_DIGEST_VERIFIERS, DIGEST_TYPE) as
select u.name, 'YES', 'MD5' from user$ u where instr(spare4, 'H:')>0
union
select u.name, 'NO', NULL from user$ u where not(instr(spare4, 'H:')>0) or spare4 is null
/

So it appears to be a MD5 hash.

Note that there is SQL code under $ORACLE_HOME/rdbms/admin that modifies the spare4 column’s value to remove the H: on downgrade.

This is how spare4.H is calculated: the username is uppercased, then the MD5 hash is calculated from it, and ‘XDB‘ and password are separated by colons:

import hashlib
m = hashlib.md5()
m.update('DEMO:XDB:epsilon')
m.hexdigest().upper()
'DC9894A01797D91D92ECA1DA66242209'

This makes it possible to attack built-in user passwords using pre calculated hashes for dictionary words prefixed with constants like ‘SYSTEM:XDB:‘.

The H value seems to be used for digest authentication in XDB.

The T part

This applies to 12.1.0.2 only. For previous 12c versions the T part is not available.

Let’s enable 12c passwords hashes only by updating the sqlnet.ora file (assuming the client is from 12.1.0.2 distribution too):

# sqlnet.ora
SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12a

Then re-create the demo user (reconnect the client first):
drop user demo;
create user demo identified by epsilon;
select spare4 from sys.user$ where name = 'DEMO';
H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B

Note that the spare4 value no longer has the S: part, only the H: and T: components are there.
In Oracle Database 12c documentation we can find this:

About the 12C Verifier

… is based on a de-optimized algorithm involving PBKDF2 and SHA512…

So the password should be processed via PBKDF2 followed by SHA512 to produce T.

During authentication the server sends so called AUTH_VFR_DATA (which matches the last 16 bytes of the spare4.T value) to the client:

-- Server to client packet snippet
39 39 39 00 00 00 00 0D-00 00 00 0D 41 55 54 48 999.........AUTH
5F 56 46 52 5F 44 41 54-41 20 00 00 00 20 38 44 _VFR_DATA.....8D
44 31 42 45 33 46 36 37-42 46 46 39 38 31 33 41 D1BE3F67BFF9813A
34 36 34 33 38 32 33 38-31 41 42 33 36 42 15 48 464382381AB36B.H

So we can divide the T value into two parts (first 64 bytes and the AUTH_VFR_DATA):

E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD (first 128 chars or 64 bytes)
8DD1BE3F67BFF9813A464382381AB36B (last 32 chars or 16 bytes – AUTH_VFR_DATA)

Let’s assume that the AUTH_VFR_DATA is randomly generated when a password is set/reset. Thus Python code to produce the first 64 bytes of T is (requires PBKDF2 Python module):

import pbkdf2, hashlib
AUTH_VFR_DATA = b'\x8d\xd1\xbe\x3f\x67\xbf\xf9\x81\x3a\x46\x43\x82\x38\x1a\xb3\x6b' # This is received from the server once the latest protocol is negotiated
salt = AUTH_VFR_DATA + b'AUTH_PBKDF2_SPEEDY_KEY'
key = pbkdf2.PBKDF2("epsilon", salt, 4096, hashlib.sha512) # Password
key_64bytes = key.read(64) # This 64-byte derived key is encrypted by the client and sent to the server as AUTH_PBKDF2_SPEEDY_KEY
t = hashlib.sha512() # This happens on the server after they key is decrypted from the AUTH_PBKDF2_SPEEDY_KEY value
t.update(key_64bytes)
t.update(AUTH_VFR_DATA)
t.hexdigest().upper() # First 64 bytes of spare4.T: value if password is correct

This produces:

E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD

Summing up

Oracle has added MD5 hash and PBKDF2-based SHA512 hash in 12c. A quote from Oracle documentation:

The cryptographic hash function used for generating the 12C verifier is based on a de-optimized algorithm involving PBKDF2 and SHA-512. The PBKDF2 algorithm is used to introduce computational asymmetry in the challenge facing an intruder seeking to recover the original password when in possession of the 12C verifier.

When the MD5 hash is there it weakens security since it is easier to brute force than the PBKDF2-based SHA512 alone.


Comments

comments

haisins

오라클 DBA 박용석 입니다. haisins@gmail.com 으로 문의 주세요.

[Oracle 12c] Oracle DB 유저의 패스워드 저장 암호화 알고리즘 변경”의 92개의 댓글

  • 2018-07-18 6:03 오후
    Permalink

    Let the diamonds emeralds sapphires and rubies do all of the speaking.
    People will get to know you with out you even opening your mouth.

  • 2018-07-18 6:17 오후
    Permalink

    I am therefore passionate about all pets. I found the documentary, unlike you,
    become haunting.

  • 2018-07-18 6:17 오후
    Permalink

    Do you feel such as you by no means get to the end of your to-do checklist?
    Canadian residing in London. Moreover, they’re low-cost on fuel and easy to
    park.

  • 2018-07-18 6:20 오후
    Permalink

    As we speak I have to point out to you some beaded pendants.
    Just a web based mortgage application form must be filled
    up. The mortgage will get accredited inside 24
    hours.

  • 2018-07-18 6:25 오후
    Permalink

    The recurring iconography of a Minoan goddess descending on a throne seems to became a key image of
    the legitimization of the brand new social order.

  • 2018-07-18 6:33 오후
    Permalink

    Your use of the Site is the acceptance of the terms. on Google.
    Plus personal individual websites are Distasteful?

  • 2018-07-18 6:34 오후
    Permalink

    Ladies purchasers together with their buying potential and features of dwelling additionally think about choice required jewellery.

  • 2018-07-18 6:37 오후
    Permalink

    Not more than any other worker though. on Google. Plus my personal individual internet
    sites are no.

  • 2018-07-18 6:39 오후
    Permalink

    You will find about six billion people going swimming that aren’t Canadian.

  • 2018-07-18 6:49 오후
    Permalink

    Use anti-tarnish paper for wrapping your costume jewelry before storing it
    for long intervals of time. 2. Soak your gold jewelry , in heat water.

  • 2018-07-18 6:52 오후
    Permalink

    They arrive in a large number of colors with glittering disco balls or in a more simple style of
    plain or faceted balls.

  • 2018-07-18 6:53 오후
    Permalink

    Out there within the range of Rs.50,000, the collection homes a
    wide range of jewelry choices, which could be purchased as gifts too.

  • 2018-07-18 7:32 오후
    Permalink

    Then, they put flashing lights and long red and white striped hands
    that drop dow to block traffic when a train crossing is imminent.

  • 2018-07-18 8:23 오후
    Permalink

    Check out this short article for some guidelines that may help you improve worker retention and keep your very best skill close.

  • 2018-07-18 8:23 오후
    Permalink

    A well-executed R&D effort is vital to virtually any business’s viability as a going concern.

  • 2018-07-18 9:34 오후
    Permalink

    Whenever you elect to freelance, additionally, you will be in control
    of your personal schedule. Instead of being bound
    to the 9-to-five work day of most regulation workplaces, both your every
    day schedule and your calendar as a complete shall be
    largely as much as you. Whether you have to take break day, or whether or
    not you want to tackle a heavier workload, freelancing will meet your needs.

  • 2018-07-18 10:15 오후
    Permalink

    In Australia, businesses are generally well prepared the festive season by late August, early September.

  • 2018-07-19 12:01 오전
    Permalink

    This bonus thing must stop, we constantly worked difficult however now
    I’m frightened to attend work too.

  • 2018-07-19 12:47 오전
    Permalink

    An individual can locate 3 groups of inorganic sprays available inside the marketplace to your single purpose
    of exterminating unwelcome mattress parasites.

  • 2018-07-19 1:05 오전
    Permalink

    I think Sirdent tried to start a chat space but I do not think it went over well.

    It is is the forums.

  • 2018-07-19 2:44 오전
    Permalink

    I would like to make every guest pleased, but sometimes the needs are nearly impossible.
    on Bing. Plus my personal personal web sites are Anyways, happy we’d
    a great discussion and debate.

  • 2018-07-19 3:27 오전
    Permalink

    I basically accept you, nonetheless it appears your need to be positively right
    in every things has caught you up, poorly.

  • 2018-07-19 4:10 오전
    Permalink

    It really is hard to believe that someone would disregard the Beatles, but that’s exactly what
    Decca reports did after viewing their audition.

  • 2018-07-19 5:26 오전
    Permalink

    Official sources confirm: chemtrails are genuine, research into geoengineering is ongoing.

  • 2018-07-19 5:30 오전
    Permalink

    Money cash in several international locations don’t comprise silver, but they’re
    constituted from different cheaper metallic varieties.

  • 2018-07-19 5:40 오전
    Permalink

    She had been associated with a personal scandal that involved dating and consuming but she’s
    now become a group captain!

  • 2018-07-19 6:09 오전
    Permalink

    Which brings some further look amongst other brand?
    If you do, the jewellery retailer will probably be additional keen to cut back his
    price for you.

  • 2018-07-19 6:18 오전
    Permalink

    Keep in mind: Smart women can be the ones whom really obtain the
    jokes, so that they will be the people who become laughing the loudest!

  • 2018-07-19 6:18 오전
    Permalink

    We manufacture the Gold Plated Chains in about 3000 varied designs and totally different sizes &
    provide it throughout the world.

  • 2018-07-19 6:24 오전
    Permalink

    In this post the beauty professionals of KTD Team s.m..
    necklaces supplier can speak about the required equipment every bride
    ought to have.

  • 2018-07-19 6:26 오전
    Permalink

    In a while solely Simba was used, and sometimes REGD was added.
    The third most necessary factor to do is to show the piece over and look at the again of
    the piece.

  • 2018-07-19 6:51 오전
    Permalink

    Under we see a closer have a look at the earrings.

    Therefore, when you could have used the ring, maintain it in velvet pouch jewelry field.

  • 2018-07-19 7:00 오전
    Permalink

    Dude, i’m contaminated with the over-smartness a few of my buddies reveal in their FB statuses.

  • 2018-07-19 7:01 오전
    Permalink

    If it were not for E.T., the popular Reese’s Pieces candy may not occur today.

  • 2018-07-19 7:03 오전
    Permalink

    Cover the surface that you need to use as a mould in Vaseline.
    The most effective part? The gold alone weighed three,4
    kilos!

  • 2018-07-19 7:13 오전
    Permalink

    Then, once in a while, we encounter a story that is actually mind-boggling.

  • 2018-07-19 7:14 오전
    Permalink

    For example, a 100 troy ounce silver bar was buying and selling at round 1.fifty
    one% in a web-based auction website in March
    2010.

  • 2018-07-19 7:15 오전
    Permalink

    I think, that wedding dessert image of the bride and groom ought
    to be the standard cake design for all wedding cakes.

  • 2018-07-19 9:40 오전
    Permalink

    At the very least i will be pretty specific the video had been taken after Luna passed away (sadface).

  • 2018-07-19 10:18 오전
    Permalink

    Alternatively, we get to go through the joy associated with the public pool.

  • 2018-07-19 12:04 오후
    Permalink

    Almost 30 days ago and eve associated with President taking the to begin 2 oaths of office in their second
    term.

  • 2018-07-20 5:10 오전
    Permalink

    These are typically willing to let the majority of this
    nation starve and perish (medical) so that their masters happy.

  • 2018-07-21 3:07 오전
    Permalink

    Right away I am going away to do my breakfast, after having my breakfast coming over again to read further news.

  • 2018-07-25 10:41 오전
    Permalink

    Hi there to all, how is everything, I think
    every one is getting more from this web site, and your views are good designed for new
    visitors.

  • 2018-07-27 9:32 오후
    Permalink

    Have you ever thought about publishing an e-book or guest authoring on other blogs?
    I have a blog based upon on the same subjects you discuss and would really like to have you share some stories/information. I know my visitors would value your work.
    If you are even remotely interested, feel free to shoot me an email.

  • 2018-07-28 5:22 오전
    Permalink

    I know this if off topic but I’m looking into starting
    my own weblog and was wondering what all is needed to get set up?
    I’m assuming having a blog like yours would cost a pretty
    penny? I’m not very web savvy so I’m not 100%
    positive. Any suggestions or advice would be greatly appreciated.
    Thank you

  • 2018-07-29 5:23 오후
    Permalink

    Excellent blog here! Additionally your site a lot up fast!
    What host are you using? Can I get your associate link for your host?
    I desire my site loaded up as fast as yours lol

  • 2018-07-30 7:20 오전
    Permalink

    Hi there would you mind letting me know which web host you’re utilizing?
    I’ve loaded your blog in 3 completely different web browsers and I must say this blog
    loads a lot quicker then most. Can you suggest a good web hosting provider at
    a honest price? Many thanks, I appreciate it!

  • 2018-07-30 7:24 오후
    Permalink

    I believe everything said made a great deal of sense. But, think
    about this, suppose you added a little information? I mean,
    I don’t want to tell you how to run your website, but suppose you added a title to possibly get
    people’s attention? I mean [Oracle 12c] Oracle DB 유저의 패스워드 저장
    암호화 알고리즘 변경 – DBA 의 정석 is a little boring.
    You ought to look at Yahoo’s home page and note how they write article titles to grab viewers to open the links.
    You might add a related video or a related picture or two to grab readers interested about everything’ve got to say.
    Just my opinion, it could make your website a little bit more interesting.

  • 2018-07-31 2:42 오전
    Permalink

    Howdy! I could have sworn I’ve been to this site before but after reading through some of the post I realized
    it’s new to me. Anyways, I’m definitely happy I found
    it and I’ll be bookmarking and checking back frequently!

  • 2018-07-31 4:01 오전
    Permalink

    Your style is really unique compared to other folks
    I’ve read stuff from. Thanks for posting when you’ve got the opportunity, Guess I’ll just bookmark this web site.

  • 2018-07-31 4:12 오후
    Permalink

    Really no matter if someone doesn’t understand afterward its
    up to other users that they will assist, so here it takes place.

  • 2018-07-31 4:14 오후
    Permalink

    I believe this is one of the such a lot important information for me.
    And i am glad reading your article. But should commentary on few general issues, The website taste is great, the articles is truly great : D.
    Just right process, cheers

  • 2018-08-03 12:00 오후
    Permalink

    My brother suggested I might like this web site.
    He was entirely right. This post truly made my day.

    You cann’t imagine just how much time I had spent for
    this info! Thanks!

  • 2018-08-06 3:22 오전
    Permalink

    There is definately a lot to know about this topic.
    I love all the points you’ve made.

  • 2018-08-06 5:15 오전
    Permalink

    Thanks for the marvelous posting! I certainly enjoyed reading
    it, you might be a great author. I will remember to bookmark your blog and will
    eventually come back later in life. I want to encourage you to
    continue your great posts, have a nice day!

  • 2018-08-06 8:45 오전
    Permalink

    construction jobs are on the rise again these days because the recession is almost over**

  • 2018-08-07 11:03 오전
    Permalink

    The office assists Members in tabling Parliamentary Questions (PQs) and Early Day Motions (EDMs).

  • 2018-08-10 12:39 오전
    Permalink

    Carpal tunnel syndrome is typically identified based on symptoms and the
    outcomes of bodily examinations.

  • 2018-08-13 12:58 오후
    Permalink

    I’m not that much of a online reader to be honest but your sites really nice, keep it up!
    I’ll go ahead and bookmark your website to come back later on. Many thanks

  • 2018-08-13 1:08 오후
    Permalink

    Hellߋ, i thіnk that i saw yօu visited mу website thus i cаme
    tо “return the favor”.I am attempting tto fіnd
    things t᧐ improve my website!I suppose its ok to usee a fеw of ʏⲟur ideas!!

  • 2018-08-15 4:36 오전
    Permalink

    I just wanted to let you all know that I added a new list. It has taken me awhile to let everyone know due to server issues. Everything should be back on track now.

  • 2018-08-21 12:34 오전
    Permalink

    fantastic submit, very informative. I wonder why the opposite
    experts of this sector do not realize this. You should proceed your writing.
    I am sure, you’ve a huge readers’ base already!

  • 2018-08-21 11:15 오후
    Permalink

    It is in point of fact a great and helpful piece of information. I’m happy that you shared this useful information with us.
    Please keep us up to date like this. Thanks for sharing.

  • 2018-08-21 11:16 오후
    Permalink

    This website was… how do I say it? Relevant!! Finally I’ve found something which
    helped me. Thanks!

  • 2018-08-21 11:16 오후
    Permalink

    Just desire to say your article is as amazing. The
    clarity in your post is simply spectacular and i
    could assume you are an expert on this subject.
    Fine with your permission allow me to grab your RSS feed to keep up to date with
    forthcoming post. Thanks a million and please carry on the enjoyable work.

  • 2018-08-22 4:46 오후
    Permalink

    Link exchange is nothing else however it is just placing the other person’s webpage link on your page
    at proper place and other person will also do same in support
    of you.

  • 2018-08-24 4:23 오전
    Permalink

    Heya just wanted to give you a brief heads up and let you know a
    few of the images aren’t loading properly. I’m not sure why but I think its a linking issue.
    I’ve tried it in two different web browsers and both show the same outcome.

  • 2018-08-25 9:25 오후
    Permalink

    Thanks for finally talking about >[Oracle 12c] Oracle DB 유저의 패스워드
    저장 암호화 알고리즘 변경 – DBA의 정석 <Liked it!

  • 2018-09-03 1:10 오후
    Permalink

    I don’t even understand how I stopped up right here, however
    I thought this publish was once good. I do not recognise who you are
    but definitely you’re going to a famous blogger should you are not already.
    Cheers!

댓글이 닫혀있습니다.