SlideShare a Scribd company logo

DOAG 2016 Oracle Logon Security

Download as PPTX, PDF
Loopback.ORG
Loopback.ORG

This document summarizes a presentation on database authentication methods and security. It discusses different hashing algorithms used by Oracle over time, password cracking calculations, and various authentication methods including native Oracle authentication, secure wallet stores, LDAP/OID, Kerberos integration with Active Directory, and Kerberos configuration in Oracle 12c. Key topics covered include hashing algorithms, password strength, external user security, and single sign-on authentication protocols.

Technology
1 of 29
DOAG Konferenz 2016 Oracle Logon Security: Last Man Standing Database Authentication Methods – A Practical Comparison
DOAG Konferenz 2016 Jan Schreiber Loopback.ORG GmbH, Hamburg Database Operations & Security Data Warehouse & Business Intelligence Oracle Architektur & Performance
DOAG Konferenz 2016 Table USER: SYSTEM PW: MANAGER USER: SCOTT PW: TIGER USER: OLAPSYS PW: OLAPSYS USER: ANONYMOUS PW: ANONYMOUS Table 8-2 Oracle 9i Default Accounts and Passwords
DOAG Konferenz 2016 Quelle: XKCD
DOAG Konferenz 2016 Oracle Hash Algorithms 3DEShash(upper (username||password) ) password hash (20 bytes) = sha1(password + salt (10 bytes)) S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1 F56554A; H:DC9894A01797D91D92ECA1DA66242209; T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75 7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD 8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Age old: 11gR1: 12.1.0.2: 11g SHA1 hash 12.1.0.1: HTTP Digest (md5digest(‘USER:XDB:password')) PBKDF2-based SHA2(SHA512) hash
DOAG Konferenz 2016 Fox The red fox jumps over the blue dog The red fox jumps oevr the blue dog The red fox jumps ouer the blue dog The red fox jumps oer the blue dog DFCD 3454 BBEA 788A 751A 696C 24D9 7009 CA99 2D17 0086 46BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC 8FD8 7558 7851 4F32 D1C6 76B1 79A9 0DA4 AEFE 4819 FCD3 7FDB 5AF2 C6FF 915F D401 C0A9 7DA9 46AF FB45 8ACA D682 D588 4C75 4BF4 1799 7D88 BCF8 92B9 6A6C cryptographic hash function Input Digest
DOAG Konferenz 2016 size number of hashes cum hashes 50% Time (days) time (mins) 1 26 26 0 0 2 936 962 0 0 3 33.696 34.658 0 0 4 1.213.056 1.247.714 0 0 5 43.670.016 44.917.730 0 0 6 1.572.120.576 1.617.038.306 0 17 7 56.596.340.736 58.213.379.042 0 606 8 2.037.468.266.496 2.095.681.645.538 8 21.830 9 73.348.857.593.856 75.444.539.239.394 273 785.881 10 2.640.558.873.378.820 2.716.003.412.618.210 9.824 28.291.702 11 95.060.119.441.637.400 97.776.122.854.255.600 353.646 1.018.501.280 12 3.422.164.299.898.950.000 3.519.940.422.753.200.000 12.731.266 36.666.046.070 13 123.197.914.796.362.000.000 126.717.855.219.115.000.000 458.325.576 1.319.977.658.532 14 4.435.124.932.669.030.000.000 4.561.842.787.888.150.000.000 16.499.720.732 47.519.195.707.168 15 159.664.497.576.085.000.000.000 164.226.340.363.973.000.000.000 593.989.946.340 1.710.691.045.458.060 16 5.747.921.912.739.070.000.000.000 5.912.148.253.103.040.000.000.000 21.383.638.068.226 61.584.877.636.490.000 17 206.925.188.858.606.000.000.000.000 212.837.337.111.709.000.000.000.000 769.810.970.456.125 2.217.055.594.913.640.000 18 7.449.306.798.909.830.000.000.000.000 7.662.144.136.021.540.000.000.000.000 27.713.194.936.420.500 79.814.001.416.891.000.000 19 268.175.044.760.754.000.000.000.000.000 275.837.188.896.775.000.000.000.000.000 997.675.017.711.138.000 2.873.304.051.008.080.000.000 20 9.654.301.611.387.140.000.000.000.000.000 9.930.138.800.283.920.000.000.000.000.000 35.916.300.637.601.000.000 103.438.945.836.291.000.000.000 Password Cracking Calculations Initinal char keyspace = 16; keyspace = 36; cracker speed = 1.600.000 hash per second
DOAG Konferenz 2016 http://www.tarsnap.com/scrypt/scrypt.pdf (2011)
DOAG Konferenz 2016 Oracle Native Authentication Protocol Client Oracle Database Server Connect [SID] Resend Connect [SID] Accept .... [Username] [AUTH_VFR_DATA] (11g Salt) [AUTH_SESSKEY] [AUTH_SESSKEY] [AUTH_PASSWORD ] Password verification takes place. Server authenticates user or responds with error.
DOAG Konferenz 2016
DOAG Konferenz 2016 Secure External Password Store (Wallets) $ mkstore -wrl /home/jans/oracle/wallet -create $ mkstore -wrl /home/jans/oracle/wallet -createCredential ORCL SYSTEM secret $ sqlplus /@ORCL SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. SQL>
DOAG Konferenz 2016 0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password 0x4D - EOF PKCS#12 data (ASN.1 block) ________________________________________________________________________________________ $ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c Secure External Password Store Hacking http://blogs.loopback.org/2015/11/oracle-wallets-hacken/
DOAG Konferenz 2016 Create new wallet $ echo 1e482XXXXXXXXXX1f1f0b296f6178021c | xxd -p -r > cwallet.key $ ls -lhrt total 18K -rwxr--r-- 1 akira friends 6,5K Nov 24 15:16 ewallet.p12 -rw------- 1 akira friends 6,5K Nov 24 15:16 cwallet.sso -rw-r--r-- 1 akira friends 16 Nov 24 18:28 cwallet.key $ dd if=cwallet.sso of=NewP12wallet.p12 bs=1 skip=77 6560+0 records in 6560+0 records out 6560 bytes (6,6 kB) copied, 0,0240742 s, 272 kB/s Verify validity $ openssl pkcs12 -in NewP12wallet.p12 -nodes -passin file:cwallet.key MAC verified OK Bag Attributes friendlyName: orakey localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 (...) Set new password $ orapki wallet change_pwd -wallet NewP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved. Use new wallet $ orapki wallet display -wallet NewP12wallet.p12 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Requested Certificates: User Certificates: Subject: CN=ORCL11G Trusted Certificates: Subject: CN=PX.CORP-PROC01,O=px.corp,ST=Hamburg,C=DE Subject: CN=PX.CORP-ROOT01,O=px.corp,ST=Hamburg,C=DE
DOAG Konferenz 2016 Oracle Internet Directory (OID) / LDAP (1) Connect Leonard. Nimoy/ BIGDB Verifies hash, assignes roles and schema to user (2) Request Leonard.Nimoy (3) Returned Leonard.Nimoy LDAP Server (OID) Repository for user, rolle & EUS configuration SQL> alter user ... identified externally;
DOAG Konferenz 2016 Hashes in OID
DOAG Konferenz 2016 Kerberos-AD- Connection Verify user data (2) AD Domain Controller Key Distribution Center (KDC) Authentication Service (AS) Ticket Granting Service (TGS) Authentification(1) User-Ticket TGT (3) Client-PC Ticket-Cache Check ST for application server with TGT (6) Request Service Ticket ST with TGT (5) Domain Login User Password TGT (4) ST (7) DB Server ST verification (9) Shared key exchange
DOAG Konferenz 2016 Kerberos User Login SQL> create user USER01 identified externally as 'USER01@TESTED.LCL'; User created. SQL> grant connect to user01; [oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle. All rights reserved. Password for user01@TESTED.LCL: _______________________________________________________________________________________________ [oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle. All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: user01@TESTED.LCL Valid Starting Expires Principal 08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL 08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL 08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL _______________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "USER01@TESTED.LCL
DOAG Konferenz 2016 AD-Integration with Oracle Unified Directory (OUD) & Kerberos DB FARM OUD Database Client SqlPlus, Java, etc (EUS) Map Users, Schema,Roles Groups OracleContext OUD Proxy Setup: • AD-User w/ read privilege • Read privilege on DB-user data in AD • Oracle Context on LDAP server • Software: OUD, WebLogic, ADF • Works with EUS also[linux7 Oracle_OUD1]$ ./oud-proxy-setup [linux6]$ okinit testuser [linux7]$ oklist Kerberos Ticket https://wiki.loopback.org/confluence/x/FQCl
DOAG Konferenz 2016 Kerberos & Database 12c • New Software Stack • RC4-HMAC-NT / W2012 Server • ORA-12638: Credential retrieval failed – SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) Bugs... Reading List: Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab" Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section. Doc ID 185897.1: Kerberos Troubleshooting Guide Master Note For Kerberos Authentication (Doc ID 1375853.1) WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain" How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN." Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs Laurent Schneider: The long long route to Kerberos Microsoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1) Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor) https://wiki.loopback.org/confluence/x/CwCl
DOAG Konferenz 2016 Mimikatz Quelle: Benjamin Delpy
DOAG Konferenz 2016 Kerberos Golden Ticket • The entire Kerberos security relies on symmetric keys under “krbtgt” account • – 128 bits for RC4/AES128 • – 256 bits for AES256 • And once generated, these keys aren’t changed in years – only during domain functional upgrade from NT5 -> NT6 – 2000/2003 to 2008/2012 – 2008 -> 2012 doesn’t change the value – the previous one (n-1) still valid… Quelle: Benjamin Delpy
DOAG Konferenz 2016 PKI-Authentication Private Key Private Key User / Application Database Certificate Authority (CA) User .csr SSL Handshake User/CA Certs DB .csr DB/CA Certs
DOAG Konferenz 2016 PKI: Certificates and Wallets Database Server 1. Create empty wallet 2. Create Key and Certificate Request 3. Sign Request by CA (e.g. CN=db12c) 4. Inport CA Certificate (CN=myCA) 5. Import signed server certificate Database Client 1. Create empty wallet 2. Create Key and Certificate Request 3. Sign request by CA (e.g. CN=jans) 4. Import CA certificate (CN=myCA) 5. Import signed user certificate
DOAG Konferenz 2016 Display Wallet [oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_1/network/pki Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. _________________________________________________________________________________________ Requested Certificates: User Certificates: Subject: CN=LOOPDS Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: CN=LBO Root Certificate II,OU=LoopCA,O=Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
DOAG Konferenz 2016 PKI: Login using certificate SQL> create user JANS identified externally as 'CN=jans'; SQL> grant create session to JANS; $ sqlplus /@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') --------------------------------------------------- tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ----------------------------------------------------- SSL
DOAG Konferenz 2016 Windows AD CA with Autoenrollment
DOAG Konferenz 2016 Linux-Workstations:
DOAG Konferenz 2016 Benefit Analysis Feature Passwords Pwd Wallets Kerberos SSL-PKI EUS Password theft protection   ✔ ✔ ./. Reduced administrative overhead per user account   ✔ ✔ ✔ Audit proof   ✔ ✔ ./. Central user and password administration   ✔  ✔ Central role administration     ✔ Serves technical users ✔ ✓  ✔ ✔ Serves human users ✔  ✔  ✔ Minimal rollout difficulty ✔     No additional license costs ✔ ✔ ✔ ✔  No directory dependence ✔ ✔   
DOAG Konferenz 2016 Jan Schreiber, Loopback.ORG GmbH, Hamburg database intelligence | operations excellence | bi solutions jans@loopback.org blogs.loopback.org Thank you very much for your attention!

Recommended

Pharmacy management system project report
Pharmacy management system project reportPharmacy management system project report
Pharmacy management system project reportDipta Roy
 
Basic of PHP
Basic of PHPBasic of PHP
Basic of PHPNisa Soomro
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemAbdul Rahman Sherzad
 
C Programming
C ProgrammingC Programming
C ProgrammingPrince Kumar
 
Php with MYSQL Database
Php with MYSQL DatabasePhp with MYSQL Database
Php with MYSQL DatabaseComputer Hardware & Trouble shooting
 
Bank Database using MySQL
Bank Database using MySQL Bank Database using MySQL
Bank Database using MySQL Paras
 
Database Connectivity in PHP
Database Connectivity in PHPDatabase Connectivity in PHP
Database Connectivity in PHPTaha Malampatti
 

Recommended

Pharmacy management system project report
Pharmacy management system project reportPharmacy management system project report
Pharmacy management system project reportDipta Roy
 
Basic of PHP
Basic of PHPBasic of PHP
Basic of PHPNisa Soomro
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemAbdul Rahman Sherzad
 
C Programming
C ProgrammingC Programming
C ProgrammingPrince Kumar
 
Php with MYSQL Database
Php with MYSQL DatabasePhp with MYSQL Database
Php with MYSQL DatabaseComputer Hardware & Trouble shooting
 
Bank Database using MySQL
Bank Database using MySQL Bank Database using MySQL
Bank Database using MySQL Paras
 
Database Connectivity in PHP
Database Connectivity in PHPDatabase Connectivity in PHP
Database Connectivity in PHPTaha Malampatti
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Edureka!
 
Php sessions & cookies
Php sessions & cookiesPhp sessions & cookies
Php sessions & cookiesbaabtra.com - No. 1 supplier of quality freshers
 
Web servers
Web serversWeb servers
Web serverswebhostingguy
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
E library management system
E library management systemE library management system
E library management systemanushyadevi97
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
Library Management system requirements
Library Management system requirementsLibrary Management system requirements
Library Management system requirementsAhsan Riaz
 
Database Project Airport management System
Database Project Airport management SystemDatabase Project Airport management System
Database Project Airport management SystemFahad Chishti
 
DATABASE MANAGEMENT SYSTEM LAB.pdf
DATABASE MANAGEMENT SYSTEM LAB.pdfDATABASE MANAGEMENT SYSTEM LAB.pdf
DATABASE MANAGEMENT SYSTEM LAB.pdfProf. Dr. K. Adisesha
 
ER diagrams for Railway reservation system
ER diagrams for Railway reservation systemER diagrams for Railway reservation system
ER diagrams for Railway reservation systemSoham Nanekar
 
44478167 hospital-management-system
44478167 hospital-management-system44478167 hospital-management-system
44478167 hospital-management-systemAkshay Iliger
 
Library management (use case diagram Software engineering)
Library management (use case diagram Software engineering)Library management (use case diagram Software engineering)
Library management (use case diagram Software engineering)kiran Patel
 
11.project online library management system
11.project online library management system11.project online library management system
11.project online library management systemricharamgarh
 
Oracle使用者安全設定
Oracle使用者安全設定Oracle使用者安全設定
Oracle使用者安全設定Chien Chung Shen
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services pptOECLIB Odisha Electronics Control Library
 
Xampp Workshop
Xampp WorkshopXampp Workshop
Xampp WorkshopAnuchit Chalothorn
 
Online Railway Reservation System
Online Railway Reservation SystemOnline Railway Reservation System
Online Railway Reservation SystemPrince Kumar
 
Online Movie ticket booking Project
Online Movie ticket booking ProjectOnline Movie ticket booking Project
Online Movie ticket booking ProjectSHAZIA JAMALI
 
C13 SQL Server2012知られざるTips集 by 平山理
C13 SQL Server2012知られざるTips集 by 平山理C13 SQL Server2012知られざるTips集 by 平山理
C13 SQL Server2012知られざるTips集 by 平山理Insight Technology, Inc.
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 

More Related Content

What's hot

Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Edureka!
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
E library management system
E library management systemE library management system
E library management systemanushyadevi97
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
Library Management system requirements
Library Management system requirementsLibrary Management system requirements
Library Management system requirementsAhsan Riaz
 
Database Project Airport management System
Database Project Airport management SystemDatabase Project Airport management System
Database Project Airport management SystemFahad Chishti
 
ER diagrams for Railway reservation system
ER diagrams for Railway reservation systemER diagrams for Railway reservation system
ER diagrams for Railway reservation systemSoham Nanekar
 
44478167 hospital-management-system
44478167 hospital-management-system44478167 hospital-management-system
44478167 hospital-management-systemAkshay Iliger
 
Library management (use case diagram Software engineering)
Library management (use case diagram Software engineering)Library management (use case diagram Software engineering)
Library management (use case diagram Software engineering)kiran Patel
 
11.project online library management system
11.project online library management system11.project online library management system
11.project online library management systemricharamgarh
 
Oracle使用者安全設定
Oracle使用者安全設定Oracle使用者安全設定
Oracle使用者安全設定Chien Chung Shen
 
Online Railway Reservation System
Online Railway Reservation SystemOnline Railway Reservation System
Online Railway Reservation SystemPrince Kumar
 
Online Movie ticket booking Project
Online Movie ticket booking ProjectOnline Movie ticket booking Project
Online Movie ticket booking ProjectSHAZIA JAMALI
 
C13 SQL Server2012知られざるTips集 by 平山理
C13 SQL Server2012知られざるTips集 by 平山理C13 SQL Server2012知られざるTips集 by 平山理
C13 SQL Server2012知られざるTips集 by 平山理Insight Technology, Inc.
 

What's hot (20)

Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
 
Php sessions & cookies
Php sessions & cookiesPhp sessions & cookies
Php sessions & cookies
 
Web servers
Web serversWeb servers
Web servers
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
E library management system
E library management systemE library management system
E library management system
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server Tutorial
 
Library Management system requirements
Library Management system requirementsLibrary Management system requirements
Library Management system requirements
 
Database Project Airport management System
Database Project Airport management SystemDatabase Project Airport management System
Database Project Airport management System
 
DATABASE MANAGEMENT SYSTEM LAB.pdf
DATABASE MANAGEMENT SYSTEM LAB.pdfDATABASE MANAGEMENT SYSTEM LAB.pdf
DATABASE MANAGEMENT SYSTEM LAB.pdf
 
ER diagrams for Railway reservation system
ER diagrams for Railway reservation systemER diagrams for Railway reservation system
ER diagrams for Railway reservation system
 
44478167 hospital-management-system
44478167 hospital-management-system44478167 hospital-management-system
44478167 hospital-management-system
 
Library management (use case diagram Software engineering)
Library management (use case diagram Software engineering)Library management (use case diagram Software engineering)
Library management (use case diagram Software engineering)
 
11.project online library management system
11.project online library management system11.project online library management system
11.project online library management system
 
Oracle使用者安全設定
Oracle使用者安全設定Oracle使用者安全設定
Oracle使用者安全設定
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services ppt
 
Xampp Workshop
Xampp WorkshopXampp Workshop
Xampp Workshop
 
Online Railway Reservation System
Online Railway Reservation SystemOnline Railway Reservation System
Online Railway Reservation System
 
Online Movie ticket booking Project
Online Movie ticket booking ProjectOnline Movie ticket booking Project
Online Movie ticket booking Project
 
C13 SQL Server2012知られざるTips集 by 平山理
C13 SQL Server2012知られざるTips集 by 平山理C13 SQL Server2012知られざるTips集 by 平山理
C13 SQL Server2012知られざるTips集 by 平山理
 

Similar to DOAG 2016 Oracle Logon Security

Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedLoopback.ORG
 
Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)
Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)
Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)オラクルエンジニア通信
 
Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)Bobby Curtis
 
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationOracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationFrancisco Alvarez
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 
What’s New in Oracle Database 12c for PHP
What’s New in Oracle Database 12c for PHPWhat’s New in Oracle Database 12c for PHP
What’s New in Oracle Database 12c for PHPChristopher Jones
 
Drupalcon2007 Sun
Drupalcon2007 SunDrupalcon2007 Sun
Drupalcon2007 Sunsmattoon
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
MySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP ConferenceMySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP ConferenceDave Stokes
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]
【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]
【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]オラクルエンジニア通信
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!Dave Stokes
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
MySQL Tech Café #8: MySQL 8.0 for Python Developers
MySQL Tech Café #8: MySQL 8.0 for Python DevelopersMySQL Tech Café #8: MySQL 8.0 for Python Developers
MySQL Tech Café #8: MySQL 8.0 for Python DevelopersFrederic Descamps
 

Similar to DOAG 2016 Oracle Logon Security (20)

Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQL
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security Reloaded
 
Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)
Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)
Oracle Database / Exadata Cloud 最新情報(Oracle Cloudウェビナーシリーズ: 2020年7月2日)
 
Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)Database As A Service: OEM + ODA (OOW 15 Presentation)
Database As A Service: OEM + ODA (OOW 15 Presentation)
 
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationOracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c Presentation
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015
 
What’s New in Oracle Database 12c for PHP
What’s New in Oracle Database 12c for PHPWhat’s New in Oracle Database 12c for PHP
What’s New in Oracle Database 12c for PHP
 
Drupalcon2007 Sun
Drupalcon2007 SunDrupalcon2007 Sun
Drupalcon2007 Sun
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
MySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP ConferenceMySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP Conference
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 days
 
【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]
【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]
【旧版】Oracle Database Cloud Service:サービス概要のご紹介 [2020年8月版]
 
My sql 5.6&MySQL Cluster 7.3
My sql 5.6&MySQL Cluster 7.3My sql 5.6&MySQL Cluster 7.3
My sql 5.6&MySQL Cluster 7.3
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Intro to ASH
Intro to ASHIntro to ASH
Intro to ASH
 
MySQL Tech Café #8: MySQL 8.0 for Python Developers
MySQL Tech Café #8: MySQL 8.0 for Python DevelopersMySQL Tech Café #8: MySQL 8.0 for Python Developers
MySQL Tech Café #8: MySQL 8.0 for Python Developers
 

Recently uploaded

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 

Recently uploaded (20)

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 

DOAG 2016 Oracle Logon Security

  • 1. DOAG Konferenz 2016 Oracle Logon Security: Last Man Standing Database Authentication Methods – A Practical Comparison
  • 2. DOAG Konferenz 2016 Jan Schreiber Loopback.ORG GmbH, Hamburg Database Operations & Security Data Warehouse & Business Intelligence Oracle Architektur & Performance
  • 3. DOAG Konferenz 2016 Table USER: SYSTEM PW: MANAGER USER: SCOTT PW: TIGER USER: OLAPSYS PW: OLAPSYS USER: ANONYMOUS PW: ANONYMOUS Table 8-2 Oracle 9i Default Accounts and Passwords
  • 5. DOAG Konferenz 2016 Oracle Hash Algorithms 3DEShash(upper (username||password) ) password hash (20 bytes) = sha1(password + salt (10 bytes)) S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1 F56554A; H:DC9894A01797D91D92ECA1DA66242209; T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75 7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD 8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Age old: 11gR1: 12.1.0.2: 11g SHA1 hash 12.1.0.1: HTTP Digest (md5digest(‘USER:XDB:password')) PBKDF2-based SHA2(SHA512) hash
  • 6. DOAG Konferenz 2016 Fox The red fox jumps over the blue dog The red fox jumps oevr the blue dog The red fox jumps ouer the blue dog The red fox jumps oer the blue dog DFCD 3454 BBEA 788A 751A 696C 24D9 7009 CA99 2D17 0086 46BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC 8FD8 7558 7851 4F32 D1C6 76B1 79A9 0DA4 AEFE 4819 FCD3 7FDB 5AF2 C6FF 915F D401 C0A9 7DA9 46AF FB45 8ACA D682 D588 4C75 4BF4 1799 7D88 BCF8 92B9 6A6C cryptographic hash function Input Digest
  • 7. DOAG Konferenz 2016 size number of hashes cum hashes 50% Time (days) time (mins) 1 26 26 0 0 2 936 962 0 0 3 33.696 34.658 0 0 4 1.213.056 1.247.714 0 0 5 43.670.016 44.917.730 0 0 6 1.572.120.576 1.617.038.306 0 17 7 56.596.340.736 58.213.379.042 0 606 8 2.037.468.266.496 2.095.681.645.538 8 21.830 9 73.348.857.593.856 75.444.539.239.394 273 785.881 10 2.640.558.873.378.820 2.716.003.412.618.210 9.824 28.291.702 11 95.060.119.441.637.400 97.776.122.854.255.600 353.646 1.018.501.280 12 3.422.164.299.898.950.000 3.519.940.422.753.200.000 12.731.266 36.666.046.070 13 123.197.914.796.362.000.000 126.717.855.219.115.000.000 458.325.576 1.319.977.658.532 14 4.435.124.932.669.030.000.000 4.561.842.787.888.150.000.000 16.499.720.732 47.519.195.707.168 15 159.664.497.576.085.000.000.000 164.226.340.363.973.000.000.000 593.989.946.340 1.710.691.045.458.060 16 5.747.921.912.739.070.000.000.000 5.912.148.253.103.040.000.000.000 21.383.638.068.226 61.584.877.636.490.000 17 206.925.188.858.606.000.000.000.000 212.837.337.111.709.000.000.000.000 769.810.970.456.125 2.217.055.594.913.640.000 18 7.449.306.798.909.830.000.000.000.000 7.662.144.136.021.540.000.000.000.000 27.713.194.936.420.500 79.814.001.416.891.000.000 19 268.175.044.760.754.000.000.000.000.000 275.837.188.896.775.000.000.000.000.000 997.675.017.711.138.000 2.873.304.051.008.080.000.000 20 9.654.301.611.387.140.000.000.000.000.000 9.930.138.800.283.920.000.000.000.000.000 35.916.300.637.601.000.000 103.438.945.836.291.000.000.000 Password Cracking Calculations Initinal char keyspace = 16; keyspace = 36; cracker speed = 1.600.000 hash per second
  • 9. DOAG Konferenz 2016 Oracle Native Authentication Protocol Client Oracle Database Server Connect [SID] Resend Connect [SID] Accept .... [Username] [AUTH_VFR_DATA] (11g Salt) [AUTH_SESSKEY] [AUTH_SESSKEY] [AUTH_PASSWORD ] Password verification takes place. Server authenticates user or responds with error.
  • 11. DOAG Konferenz 2016 Secure External Password Store (Wallets) $ mkstore -wrl /home/jans/oracle/wallet -create $ mkstore -wrl /home/jans/oracle/wallet -createCredential ORCL SYSTEM secret $ sqlplus /@ORCL SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. SQL>
  • 12. DOAG Konferenz 2016 0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password 0x4D - EOF PKCS#12 data (ASN.1 block) ________________________________________________________________________________________ $ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c Secure External Password Store Hacking http://blogs.loopback.org/2015/11/oracle-wallets-hacken/
  • 13. DOAG Konferenz 2016 Create new wallet $ echo 1e482XXXXXXXXXX1f1f0b296f6178021c | xxd -p -r > cwallet.key $ ls -lhrt total 18K -rwxr--r-- 1 akira friends 6,5K Nov 24 15:16 ewallet.p12 -rw------- 1 akira friends 6,5K Nov 24 15:16 cwallet.sso -rw-r--r-- 1 akira friends 16 Nov 24 18:28 cwallet.key $ dd if=cwallet.sso of=NewP12wallet.p12 bs=1 skip=77 6560+0 records in 6560+0 records out 6560 bytes (6,6 kB) copied, 0,0240742 s, 272 kB/s Verify validity $ openssl pkcs12 -in NewP12wallet.p12 -nodes -passin file:cwallet.key MAC verified OK Bag Attributes friendlyName: orakey localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 (...) Set new password $ orapki wallet change_pwd -wallet NewP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved. Use new wallet $ orapki wallet display -wallet NewP12wallet.p12 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Requested Certificates: User Certificates: Subject: CN=ORCL11G Trusted Certificates: Subject: CN=PX.CORP-PROC01,O=px.corp,ST=Hamburg,C=DE Subject: CN=PX.CORP-ROOT01,O=px.corp,ST=Hamburg,C=DE
  • 14. DOAG Konferenz 2016 Oracle Internet Directory (OID) / LDAP (1) Connect Leonard. Nimoy/ BIGDB Verifies hash, assignes roles and schema to user (2) Request Leonard.Nimoy (3) Returned Leonard.Nimoy LDAP Server (OID) Repository for user, rolle & EUS configuration SQL> alter user ... identified externally;
  • 16. DOAG Konferenz 2016 Kerberos-AD- Connection Verify user data (2) AD Domain Controller Key Distribution Center (KDC) Authentication Service (AS) Ticket Granting Service (TGS) Authentification(1) User-Ticket TGT (3) Client-PC Ticket-Cache Check ST for application server with TGT (6) Request Service Ticket ST with TGT (5) Domain Login User Password TGT (4) ST (7) DB Server ST verification (9) Shared key exchange
  • 17. DOAG Konferenz 2016 Kerberos User Login SQL> create user USER01 identified externally as 'USER01@TESTED.LCL'; User created. SQL> grant connect to user01; [oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle. All rights reserved. Password for user01@TESTED.LCL: _______________________________________________________________________________________________ [oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle. All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: user01@TESTED.LCL Valid Starting Expires Principal 08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL 08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL 08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL _______________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "USER01@TESTED.LCL
  • 18. DOAG Konferenz 2016 AD-Integration with Oracle Unified Directory (OUD) & Kerberos DB FARM OUD Database Client SqlPlus, Java, etc (EUS) Map Users, Schema,Roles Groups OracleContext OUD Proxy Setup: • AD-User w/ read privilege • Read privilege on DB-user data in AD • Oracle Context on LDAP server • Software: OUD, WebLogic, ADF • Works with EUS also[linux7 Oracle_OUD1]$ ./oud-proxy-setup [linux6]$ okinit testuser [linux7]$ oklist Kerberos Ticket https://wiki.loopback.org/confluence/x/FQCl
  • 19. DOAG Konferenz 2016 Kerberos & Database 12c • New Software Stack • RC4-HMAC-NT / W2012 Server • ORA-12638: Credential retrieval failed – SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) Bugs... Reading List: Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab" Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section. Doc ID 185897.1: Kerberos Troubleshooting Guide Master Note For Kerberos Authentication (Doc ID 1375853.1) WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain" How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN." Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs Laurent Schneider: The long long route to Kerberos Microsoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1) Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor) https://wiki.loopback.org/confluence/x/CwCl
  • 21. DOAG Konferenz 2016 Kerberos Golden Ticket • The entire Kerberos security relies on symmetric keys under “krbtgt” account • – 128 bits for RC4/AES128 • – 256 bits for AES256 • And once generated, these keys aren’t changed in years – only during domain functional upgrade from NT5 -> NT6 – 2000/2003 to 2008/2012 – 2008 -> 2012 doesn’t change the value – the previous one (n-1) still valid… Quelle: Benjamin Delpy
  • 22. DOAG Konferenz 2016 PKI-Authentication Private Key Private Key User / Application Database Certificate Authority (CA) User .csr SSL Handshake User/CA Certs DB .csr DB/CA Certs
  • 23. DOAG Konferenz 2016 PKI: Certificates and Wallets Database Server 1. Create empty wallet 2. Create Key and Certificate Request 3. Sign Request by CA (e.g. CN=db12c) 4. Inport CA Certificate (CN=myCA) 5. Import signed server certificate Database Client 1. Create empty wallet 2. Create Key and Certificate Request 3. Sign request by CA (e.g. CN=jans) 4. Import CA certificate (CN=myCA) 5. Import signed user certificate
  • 24. DOAG Konferenz 2016 Display Wallet [oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_1/network/pki Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. _________________________________________________________________________________________ Requested Certificates: User Certificates: Subject: CN=LOOPDS Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: CN=LBO Root Certificate II,OU=LoopCA,O=Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
  • 25. DOAG Konferenz 2016 PKI: Login using certificate SQL> create user JANS identified externally as 'CN=jans'; SQL> grant create session to JANS; $ sqlplus /@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') --------------------------------------------------- tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ----------------------------------------------------- SSL
  • 26. DOAG Konferenz 2016 Windows AD CA with Autoenrollment
  • 28. DOAG Konferenz 2016 Benefit Analysis Feature Passwords Pwd Wallets Kerberos SSL-PKI EUS Password theft protection   ✔ ✔ ./. Reduced administrative overhead per user account   ✔ ✔ ✔ Audit proof   ✔ ✔ ./. Central user and password administration   ✔  ✔ Central role administration     ✔ Serves technical users ✔ ✓  ✔ ✔ Serves human users ✔  ✔  ✔ Minimal rollout difficulty ✔     No additional license costs ✔ ✔ ✔ ✔  No directory dependence ✔ ✔   
  • 29. DOAG Konferenz 2016 Jan Schreiber, Loopback.ORG GmbH, Hamburg database intelligence | operations excellence | bi solutions jans@loopback.org blogs.loopback.org Thank you very much for your attention!

Editor's Notes

  1. Datenbank-Security-Projekte seit über 15 Jahren
  2. Risiko: Standardpasswörter ohne Benutzer-Bezug
  3. Risiko: Mehrfachverwendung von Benutzer-Kennungen und Passwörtern auch bei individuellen Kennungen.
  4. Risiken auch bei der Speicherung der Hashes in der Datenbank selbst: Wie die Oracle Datenbank Hashes ablegt. Erklärung der verwendeten Hash-Algorithmen: DES: Used from Oracle 6 through 10gR2, still enabled in 11gR1 – 12.1.0.2 Concatenate user|password => Unicode the string => encrypt with DES using key 0x0123456789abcdef => encrypt first block => xor next block with result => take the last IV as a new KEY and repeat No practicable attack vector but short key SHA1: Used in 11gR1 through 11.2.0.4 Actually still available in 12.1.0.2 Added case sensitive passwords to the database for first time As a result longer key space by default Password only is hashed, not username and password (in DES the username is the salt) Salt is generated by the database on password create/change Salt is passed by SQLNet to the client Salt is stored in SYS.USER$.SPARE4 Fast algorithm SHA1 is broken - https://www.schneier.com/blog/archives/2005/02/sha1_broken.html SHA2: Only added since 12.1.0.2 – SHA2 also added to DBMS_CRYPTO Combination of SHA2 – (SHA512) and PBKDF2 algorithms PBKDF2 is done in the client, SHA2 is completed in the server As with SHA1 the password hash and salt are stored in SYS.USER $.SPARE4 Much slower to crack then SHA1 and DES due to PBKDF2 MD5Digest: Added in 12.1.0.1 to all database accounts MD5 is a predecessor to SHA and SHA1 and must faster to execute than SHA2 Same hash always generated for same password
  5. Kollisionsfreiheit einer kryptographischen Hash Funktion.
  6. Hardware-Kosten geschätzt zum Durchlaufen über verschiedene Algorithmen.
  7. Hashes können auch über das Netz gestohlen werden, da der Session Key übertragen wird und das Salt enthält, wenn die Verbindung nicht SSL-verschlüsselt wird.
  8. Weiteres Risiko: Hart-kodierte Passwörter in Skripten oder Code.
  9. Alternative: Speichern von Passwörtern in Oracle Passwort Wallets. Hashes im Dictionary bleiben.
  10. Hacken von Passwort Wallets (1). Die Passwörter stehen binär kodiert in der Wallet Datei, beiu AutoLogin-Wallets mit Standard-Passwort verschlüsselt.
  11. Hacken von Passwort Wallets(2): - Erzeugen der Key-Datei mit dem vorher ausgelesenen Passwort aus der SSO-Datei Kopieren der SSO-Date in eine p12-Datei ohne Header Mit OpenSSL prüfen Mit orapki neues Passwort setzen Wallet benutzen
  12. Alternative: Keine Hashes in der Datenbank, sondern im LDAP-Directory. Arbeiten mit Extern authentifizierten Benutzern.
  13. Die Hashes stehen dann im LDAP Verzeichnis oder beim OID in der Datenbank. Im Klartext.
  14. Alternative: Kerberos. Kerberos-Anbindung: Funktionsweise.
  15. Kerberos-Anbindung: Wie es aussieht (External, ohne Verzeichnis)
  16. Kerberos-Anbindung mit EUS im OUD. Funktionsweise und Link zur Anleitung.
  17. Kerberos-Anbindung in DB 12c: Lots of bugs. Link zum Wiki.
  18. Risikoen in Kerberos: Mimikatz. Passwörter und NTLM-Hashes können im RAM von Windows Workstations ausgelesen werden. Mit Admin Zugang auch Domänenadministratoren-Passwörter. Pathces für Windows 7. Aber: Security zentral und in der Verantwortung der IT.
  19. Kerberos Risiko: Golden Tickets. Die Passwörter für den Kerberos-Master-Account werden errechnet und eine Fake-TGT-Unterschrift erstellt. Where Pass-the-Hash attaches the NTLM hash LSASS has of a valid user to an existing session, Pass-the-Ticket, or the ‘Golden Ticket’ attack convinces the target system that an invalid session is in fact, valid (Truncer, n.d., Mimikatz, Kiwi, and Golden Ticket generation). In Windows’ implementation of Kerberos, systems trust a Kerberos ticket signed by the hash of a ticket-granting ticket. If an attacker manages to collect the NTLM hash of krbtgt account, this may be used by Mimikatz to generate a ‘Golden Ticket’ that may be used to elevate the privileges of any session from any system. The four pieces of information required to generate a Golden Ticket are: An administrator username, though any name will work The fully qualified domain name The domain SID The NTLM hash of the krbtgt account The account name can be any string, but mimicking an existing account will help to disguise the ticket’s use. The fully qualified domain name may be obtained by running ipconfig /all:
  20. Alternative: SSL-PKI. Eine CA muss erstellt werden oder vorhanden sein.
  21. Nötige Schritte, um die DB an die SSL PKI anzubinden.
  22. PKI-Wallet anzeigen. Wallet der Datenbank. CN=LOOPDS. LBO Trusted Certificate ist verankert.
  23. Erstellen eines Externen Benutzers und Anmelden an der DB. Wir kommen über TCPS verschlüsselt und sind per SSL authentifiziert.
  24. Microsoft AD als CA mit Autoenrollment.
  25. FreeIPA unter Linux als CA und Kerberos-Server.
  26. Fazit: Vorteile / Nachteile.