eric harrington wrote:
>
> I must be missing something. I have Oracle running without any additional
> password security setup and the Oracle user passwords are encrypted. I was
> checking an OCI login and SQL*Plus connection. I have an Oracle white paper
> that discusses this: Client/Server Authentication, Part A32479, April 1995.
> Excerpt follows (my tests confirmed what is indicated below - I had some
> inconsistency with 7.x but in 8.x and higher this assertion is correct).
>
> Quote: "The Oracle Password Protocol provides security for client-server and
> server-server password communication by encrypting user passwords passed
> over a network. The Oracle Password Protocol uses a session key valid for a
> single database connection attempt to encrypt the user's password. Each
> connection attempt uses a separate key for encryption, making the encryption
> more difficult to decipher. After the key-encrypted password is passed to
> the server, the server decrypts it, then re-encrypts it using a Data
> Encryption Standard (DES) based one-way encryption algorithm and compares it
> with the password stored in the database. If they match, the user
> successfully connects to the database. The Oracle Password Protocol is used
> to encrypt all passwords upon an attempted connection � whether local
> connection, client to
> server, or server to server."
>
Maybe that's why you have to check the box (on Technet before
downloading) saying that you won't ship the software off to Libya - as
it is classified as munitions.
Paul
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Paul Drake
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
