Oracle Database Security and Audit. Authentication and authorization

Similar documents
Managing Oracle Users

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Authentication and Authorization in Oracle 12.2 based Systems. Dr. Günter Unbescheid Database Consult GmbH, Jachenau

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Security Enhancements in Informatica 9.6.x

PASSWORDS & ENCRYPTION

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Integration Guide. Dell EMC Data Domain Operating System and Gemalto KeySecure. DD OS and Gemalto KeySecure Integration. Version 6.

Single Sign-On Showdown

Authentication CHAPTER 17

User Authentication. Modified By: Dr. Ramzi Saifan

BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security

CS November 2018

CompTIA. SY0-501 EXAM CompTIA Security+ m/ Product: Demo. For More Information:

Security context. Technology. Solution highlights

TIPS AND TRICKS. Johan Olivier SECURITY

User Authentication. Modified By: Dr. Ramzi Saifan

Security in Confirmit Software - Individual User Settings

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Computer Security 3/20/18

(2½ hours) Total Marks: 75

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

CPSC 467b: Cryptography and Computer Security

Reference manual Integrated database authentication

HikCentral V.1.1.x for Windows Hardening Guide

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

$ whoami. Oracle Audit. Agenda. Learning objectives. Overview of Oracle Architecture Oracle audit types Operating system audit Database audit

This Security Policy describes how this module complies with the eleven sections of the Standard:

MANAGING LOCAL AUTHENTICATION IN WINDOWS

MU2b Authentication, Authorization and Accounting Questions Set 2

Oracle Database 11g: Security Release 2

Passwordstate Mobile Client Manual Click Studios (SA) Pty Ltd

Novell Kerberos Login Method for NMASTM

TABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure

Pass Microsoft Exam

Code42 Security. Tech Specs Data Protection & Recovery

Cloud FastPath: Highly Secure Data Transfer

WHITE PAPER. Authentication and Encryption Design

Advanced iscsi Management April, 2008

Oracle Database 11g: Security Release 2

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

HikCentral V1.3 for Windows Hardening Guide

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Oracle Utilities Opower Solution Extension Partner SSO

Zebra Setup Utility, Zebra Mobile Printer, Microsoft IAS, Cisco Access Point, PEAP and WPA-PEAP

Jérôme Kerviel. Dang Thanh Binh

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites


Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Message Networking 5.2 Administration print guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security and Authentication

Discretionary Access Control (DAC)

Identity, Authentication and Authorization. John Slankas

Vendor: Microsoft. Exam Code: Exam Name: MTA Security Fundamentals Practice Test. Version: Demo

CNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks

Lesson 13 Securing Web Services (WS-Security, SAML)

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

e-authentication guidelines for esign- Online Electronic Signature Service

Password. authentication through passwords

Real Application Security Administration

Radius, LDAP, Radius, Kerberos used in Authenticating Users

DIGIPASS Authentication for F5 BIG-IP

Pass, No Record: An Android Password Manager

Cloud Access Manager Overview

Cryptography (Overview)

Securing ArcGIS Services

1.264 Lecture 28. Cryptography: Asymmetric keys

Application Note. Using RADIUS with G6 Devices

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

John Heimann Director, Security Product Management Oracle Corporation

User guide AppGate version 11.3-LTS-u1

Salesforce1 Mobile Security White Paper. Revised: April 2014

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Security. 9.1 User IDs and Security Levels. 9.2 User Privileges and Policies CHAPTER

MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE

Network Security and Cryptography. 2 September Marking Scheme

Cryptographic Checksums

Oracle Database Security - Top Things You Could & Should Be Doing Differently

Steel-Belted RADIUS. Digipass Plug-In for SBR. SBR Plug-In SBR. G etting Started

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Oracle Hospitality RES 3700 Security Guide Release 5.5 E May 2016

See/Jump Controls INTRODUCTION CONTENTS OVERVIEW 2 GIVING SEE/JUMP PERMISSIONS VIA MEMBER PERSONAL BANKER 4

Remote Support Security Provider Integration: RADIUS Server

Oracle ILM Assistant Installation Guide Version 1.4

Oracle Advanced Security: Enterprise User Management. An Oracle Technical White Paper November 1999

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Contents About This Guide... 5 About Notifications... 5 Managing User Accounts... 6 Managing Companies Managing Password Policies...

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Keys and Passwords. Steven M. Bellovin October 17,

Wireless LAN Security. Gabriel Clothier

Strong Password Protocols

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Transcription:

Copyright 2014, Oracle Database Security and Audit Beyond Checklists Authentication and authorization Copyright 2014, Learning objectives Understand authentication Understand authorization Understand the intersection of authentication and authorization in Oracle database Copyright 2014,

Copyright 2014, Authentication Oracle has many ways to authenticate users Verifying the identity of someone (a user, device, or other entity) who wants to use data, resources, or applications Establishes a trust relationship for further interactions Enables accountability by making it possible to link access and actions to specific identities Authentication types Database authentication Network authentication Operating system authentication Global user authentication (and authorization) Authentication through an external service Multitier authentication (and authorization) Copyright 2014, Database authentication Authentication is performed against data in the database itself Username (account) and password Passwords are single byte characters Copyright 2014,

Copyright 2014, Operating system authentication Once a user (account) is authenticated at the operating system level, no username or password is needed to log into the database Network authentication Authentication using secure sockets layer (SSL) Application protocol Internet Directory (OID) Authentication using 3rd party services RADIUS Kerberos Dependent on global user management in Oracle Copyright 2014, Global user authentication Private schemas Shared schemas Copyright 2014,

Copyright 2014, Authentication through external service Oracle database maintains the username (account) External service performs authentication (and password administration) Multitier authentication Oracle Database controls the security of middle-tier applications Limiting their privileges Preserving client identities through all tiers Auditing actions taken on behalf of clients Based on trust regions Client authentication performed by the application server (password or X.509 certificate) Application server authenticates the user and itself to the database Database server A authenticates the application server Validates the user exists Verifies the application server has the privilege to connect the user Copyright 2014, Database password creation - pre-11g Not case sensitive One way hash (DES) Algorithm Convert username to uppercase version of username (username sys becomes SYS) Convert password to uppercase version of password (password test becomes TEST) Capatilized username and password gets concatinated (username SYS with password TEST becomes SYSTEST)Encrypt (using 3DES algorithm) concatinated value with a (permanent always the same) secret key Encrypt (using 3DES algorithm) concatinated value with a secret key (this key are the last 8 bytes of the first encryption) The actual password hash value will be the last 8 bytes of the second encryption round, stored in a readable hex representation of these 8 bytes so 16 characters) Example: 403888DD08626364 Copyright 2014,

Copyright 2014, Database password creation - 11g and beyond A 10 byte SALT generated by Oracle (looks random) Password (case-sensitive) and SALT (10 bytes) value become concatenated A SHA1 hash gets generated for the concatenated value 11g password hash becomes: S: plus <SHA1 hash readable hex representation> plus <SALT readable hex representation, 20 characters> Example: S:7E8E454FCCF9676F15CA93472AADDC2F353BAE2F6C95C519756E150CD727 Password protections Password encryption during authentication handshake (AES) Password failure slow down Password complexity checking Case sensitivity Hashing and salting Copyright 2014, Password management policy Password parameters enabled in database profiles All users have a profile DEFAULT created when database is created Default (unhardened) parameters Parameter Default Setting Description FAILED_LOGIN_ATTEMPTS 10 Sets the maximum times a user try to log in and to fail before locking the account. PASSWORD_GRACE_TIME 7 Sets the number of days that a user has to change his or her password before it expires. PASSWORD_LIFE_TIME 180 Sets the number of days the user can use his or her current password. PASSWORD_LOCK_TIME 1 Sets the number of days an account will be locked after the specified number of consecutive failed login attempts. After the time passes, then the account becomes unlocked. PASSWORD_REUSE_MAX UNLIMITED Sets the number of password changes required before the current password can be reused. PASSWORD_REUSE_TIME UNLIMITED Sets the number of days before which a password cannot be reused. Copyright 2014,

Copyright 2014, Password complexity checking Oracle ships demo password verification code utlpwdmg.sql Not suitable for production systems, ever! Dictionary word check is minimal Does not check password history for repeats Password storage Account passwords stored in the database SYS.USER$.PASSWORD DES hash SYS.USER$.SPARE4 SHA-1 hash SYS.USER_HISTORY$.PASSWORD SYS.LINK$ others Copyright 2014, Password security improvement Prior to 11g Password hashes were exposed in dictionary views DBA_USERS ALL_USERS Select given to PUBLIC role Hashes can be cracked off line woraauthbf - brute force dictionary attack John the Ripper (with Oracle patch) Cain & Abel others Copyright 2014,

Copyright 2014, Password cracking demos Demonstrate two tools to crack passwords Windows based Legal Disclaimer! Many organizations have policy against password cracking.! Do not do crack passwords on any systems without written permission from data owners, INFOSEC, etc.! Do not install password cracking tools on your company computers without written consent of your IT department, INFOSEC, etc.! assumes no liability for the use of tools at your organization. Demo - orabf Copyright 2014, Demo - woraauthbf Copyright 2014,

Copyright 2014, The intersection of authentication and authorization Recap of authentication Authentication allows the user to connect to the database if The account name and password were valid The user has the system privilege CREATE SESSION (direct or through a role) The intersection of authentication and authorization Once a user has been validated The user session is created if The account has the system privilege CREATE SESSION (directly or through a role) This is authorization More authorization can continue E.g. SELECT data from a table via Direct grant Through a role Access granted to the PUBLIC role System privileges SELECT ANY TABLE Copyright 2014, Q&A Copyright 2014,

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback