How to use DBMS_CRYPTO package for Oracle password encryption/hashing

I am maintaining a table called USER which stores userid and password. Now I want to encrypt the password and store it in the database, and the same encrypted password must be accessed and checked with the user entered password in VB.NET 2008. How can this be done?

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle database security How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Oracle database security Oracle delivers database fixes in Critical Patch Update How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Forrester outlines database security trends in 2009

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

What you are looking for is all contained in the DBMS_CRYPTO package. Everything you need to encrypt, hash or obfuscate data is in there. With this standard, Oracle-supplied package, the hardest part is determining which method is most appropriate for your application.

As a rule of thumb, hashing application passwords is really the best way to go about it, for internal apps that may not need extreme levels of security. (This is the same method Oracle uses in 11g for protecting and validating database user passwords.) A properly salted SHA-1 hash provides really excellent resistance to cracking, without the need to manage encryption keys! All you would have to do is hash the password through one of DBMS_CRYPTO's hashing procedures and compare that to the original, hashed password value in you user table.

If you MUST use encryption, key management is critical -- it will make or break the security of the entire process. Please do not consider putting the key, or direct references in the PL/SQL procedures you used to call DBMS_CRYPTO – the Oracle wrap utility used to obscure your code is easily defeated by direct attack in 10g and below. 11g is actually much better in this regard, plus there are many free and commercial unwrapping utilities available. Proper key management is very complex and difficult to do properly. Often, a "weaker" but properly implemented obfuscation process will render a more secure system than a poorly implemented "strong" algorithm.