Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
comp.databases.oracle
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Oracle password encryption algorithm?
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Bob Baldwin  
View profile  
 More options Jul 9 1993, 12:34 am
Newsgroups: comp.databases.oracle, comp.security.misc
From: bald...@lat.com (Bob Baldwin)
Date: Thu, 8 Jul 1993 21:49:12 GMT
Local: Thurs, Jul 8 1993 5:49 pm
Subject: Re: Oracle password encryption algorithm?
Print | View thread | Show original | Report this message | Find messages by this author
Dave Trahan wants to know the Oracle password algorithm so
he can check for weak passwords.  When I was the project
lead for Trusted Oracle I designed the new password algorithm
that is used in versions 6, 7, and later.  I presented the
details at a Bay Area Trusted System Symposium so I am not
revealing any information that is not already in the puiblic
domain.  Here are some of the details as I remember them.

Design Goals:
1. Must work with all terminals.
   ===> Some terminals do not have lowercase letters, so
        the password algorithm ignores differences between
        upper and lower case!!!  The passwords "Tiger"
        and "tiger" map to the same value.

2. Must support usernames and passwords that include non-ascii
   characters.
        The username and password are converted to
        16 bit per character representation before any processing
        is done.  Ascii characters have the high byte zeroed.

3. If different users have the same password, then the one-way
   hash value (encrypted value) for the passwords will be different.

4. Long passwords are supported.
        I believe that usernames and passwords can both be 40 chars.

Implementation:
1.  Upshift password, convert to 16bits per character, and place
    result left justified in an 80 byte array of zeros.

2.  Using DES in cipher block feedback mode compute the CBC checksum for
    the 80 byte password array using a fixed secret password (you can find
    it in the code if you look hard enough).  The result is used as the
    key for the next step ignoring parity bits to produce the a 56 bit
    key from the CBC.

3.  Upshift password, and convert to 16bits per character, and place
    result left justified in an 80 byte array of zeros.

4.  Using DES in cipher block feedback mode compute the CBC checksum
    for the 80 byte username array using the key generate in step 2.

5.  Convert the CBC checksum from step 4 into a printable string with
    the obvious algorithm.

                --Bob Baldwin
Director of Development                 We provide the best solutions
Los Altos Technologies, Inc.            to our customers key security
bald...@lat.com                                problems.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google