Skip to Main Content

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Custom Authentication: passwords stored with md5 hash or use 256-bit AES encryption/decryption?

K4EFeb 15 2017 — edited Feb 15 2017

Good morning,

I am looking for some clarification on a custom authentication scheme to be wrote for APEX 5.1 on a 12c database.

I have done PLENTY of reading and probably a little too much and I have come across numerous articles giving different methods to do this so I am asking for some clarification.  As it stands in its simplest form I am going to be storing username/pw (amongst other things) in a database table and then authenticate against this.  How I go about securely storing the passwords is whats confusing me slightly.

From some original training in the product years ago + several articles I seen on the web some people state simply using dbms_crypto.hash to store the pw then check a hashed value of the users password input against the one stored in the DB  will suffice as it should match as it does not change.

For example:

l_raw_password := utl_raw.cast_to_raw(p_password); 

   

    l_encrypted_password := dbms_crypto.hash(l_raw_password, 

                                              dbms_crypto.hash_md5);

--Then do some check here against the DB table--

This seems too simple to crack with rainbow tables and the like so I would assume it absolute common practice to add a salt key to that hash as I read a excellent article posted on this forum by @"fac586" about random salt keys being the best way forward for security?

I have also seen methods (one found on toadworld/oracle docs) of using encryption/decryption type 256-bit AES (which seems to be referenced quite alot away from oracle) of :

encryption_type PLS_INTEGER :=  DBMS_CRYPTO.ENCRYPT_AES256  + DBMS_CRYPTO.CHAIN_CBC  + DBMS_CRYPTO.PAD_PKCS5; 

key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);

  encrypted_raw := DBMS_CRYPTO.ENCRYPT

  (

  src => UTL_I18N.STRING_TO_RAW (p_password, 'AL32UTF8'),

  typ => encryption_type,

  key => key_bytes_raw

  );

Used dbms_crypto.randombytes (based on RSA X9.31 PRNG) to generate a random SALT key for each password.  If i store the encrypted PW value and the random SALT key in a table/s surely I am one SQL injection attack away from losing the passwords?

So which would be the most secure method of storing the password then authenticating of the two?

I am reading correctly the standard from OWASP seems like its an amalgamation of the two methods above.  So for example would it be possible to generate a random SALT key with randombytes in conjunction with encrypting the password using DBMS_CRYPTO.ENCRYPT_AES256  + DBMS_CRYPTO.CHAIN_CBC  + DBMS_CRYPTO.PAD_PKCS5; then store a hash of the encrypted value + the SALT key?

Thanks for any assistance!

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 15 2017
Added on Feb 15 2017
2 comments
1,425 views