Good morning,
I am looking for some clarification on a custom authentication scheme to be wrote for APEX 5.1 on a 12c database.
I have done PLENTY of reading and probably a little too much and I have come across numerous articles giving different methods to do this so I am asking for some clarification. As it stands in its simplest form I am going to be storing username/pw (amongst other things) in a database table and then authenticate against this. How I go about securely storing the passwords is whats confusing me slightly.
From some original training in the product years ago + several articles I seen on the web some people state simply using dbms_crypto.hash to store the pw then check a hashed value of the users password input against the one stored in the DB will suffice as it should match as it does not change.
For example:
l_raw_password := utl_raw.cast_to_raw(p_password);
l_encrypted_password := dbms_crypto.hash(l_raw_password,
dbms_crypto.hash_md5);
--Then do some check here against the DB table--
This seems too simple to crack with rainbow tables and the like so I would assume it absolute common practice to add a salt key to that hash as I read a excellent article posted on this forum by @"fac586" about random salt keys being the best way forward for security?
I have also seen methods (one found on toadworld/oracle docs) of using encryption/decryption type 256-bit AES (which seems to be referenced quite alot away from oracle) of :
encryption_type PLS_INTEGER := DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5;
key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
encrypted_raw := DBMS_CRYPTO.ENCRYPT
(
src => UTL_I18N.STRING_TO_RAW (p_password, 'AL32UTF8'),
typ => encryption_type,
key => key_bytes_raw
);
Used dbms_crypto.randombytes (based on RSA X9.31 PRNG) to generate a random SALT key for each password. If i store the encrypted PW value and the random SALT key in a table/s surely I am one SQL injection attack away from losing the passwords?
So which would be the most secure method of storing the password then authenticating of the two?
I am reading correctly the standard from OWASP seems like its an amalgamation of the two methods above. So for example would it be possible to generate a random SALT key with randombytes in conjunction with encrypting the password using DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5; then store a hash of the encrypted value + the SALT key?
Thanks for any assistance!