• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Devaka Cooray
  • Ron McLeod
  • paul wheaton
Saloon Keepers:
  • Tim Moores
  • Piet Souris
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Frits Walraven
  • Scott Selikoff

Password Matrix

 
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I am trying to figure out a better ways to have DB passwords secure. Currently I specify the password in cfg file during the first run of my application. The password is encryted and written back on the cfg file. On subsequent runs, the passwrod is de-cryted and connection is established.

Now, I have a idea of creating a pojo class , with a hashmap and I create a name-value pair for username-password and serialize the object. Then I de-serialise and retrieve the password from the hashmap.

Please share some ideas about this approach.

Regards,
Ashwin
 
Marshal
Posts: 76811
366
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I thought you let the database handle its own passwords. You use the password function of the database which hashes the password and compares it with a stored hash.
 
Ashwin Sridhar
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am not sure what you refer by password function of the database. I am connecting to Oracle db.
 
Java Cowboy
Posts: 16084
88
Android Scala IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ashwin Sridhar wrote:I am trying to figure out a better ways to have DB passwords secure. Currently I specify the password in cfg file during the first run of my application. The password is encryted and written back on the cfg file. On subsequent runs, the passwrod is de-cryted and connection is established.


Do you realise that that's also not really secure? Instead of having the problem of storing the password somewhere, you now have the problem of storing the encryption key somewhere. So the security problem has only moved, and isn't really solved. If a hacker really wants to get into your system, he or she could decompile your source code, find out where the encryption key is and use it to decrypt the password.
 
Ashwin Sridhar
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jesper,

I don't forsee any hacking problems in my application. I working on this, so that user may not know the password even in the first run. I agree, de-compiling would show up everything.

Do you suggest any better approach.
 
Sheriff
Posts: 3837
66
Netbeans IDE Oracle Firefox Browser
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What does the application look like? Is it installed on users' machines, or is it a kind of a server application that only administrators can access? Do you need the application to start unattended, or is it always started by someone?

By the way, Oracle supports wide range of security scenarios. You might start to explore the options in the documentation. I'm not an expert on security, but I believe the 2 Day + Security Guide might be a good start.
 
Ashwin Sridhar
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Martin,

My application is just a stand alone application which I build into a jar and execute. The application is started with various input parameters.

I am looking for building password matrix from which password could be read back by specifying the username.

Regards,
Ashwin
 
Martin Vashko
Sheriff
Posts: 3837
66
Netbeans IDE Oracle Firefox Browser
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A client-server architecture. Where does the database reside, then?

If it is installed on a local computer, you're out of luck. Anything which is installed on a physically accessible computer can be broken into. The best you can achieve is security by obscurity. And no one will be able to reasonably tell you whether your solution is already obscure enough.

If it resides on a server physically inaccessible to the users, you could use the authentication mechanism of Oracle database. Users will provide their login name and password and you'll use these to connect to the database. Users will be granted the necessary privileges through a role (or several roles).

It's probably not the only possible solution, but perhaps the easiest one, and reasonably robust. To make it really good you'd have to implement the security in the database too - ie. users should not be able to do anything using an SQL client (sql*plus or TOAD) they couldn't do through your application. It might not be easy for a Java developer - we like to handle these things differently - but it has the benefit that the data will be secure regardless of the tool used to access them.
 
Ashwin Sridhar
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Martin,

I am a bit confused with your suggestion. I am just looking to hide the password from the user. That is my objective. I am wondering what role Database security has to do here.

My current scenerio, the user is ale to see password in the cfg file, during the subsequent runs I am encryting it.

I feel user shouldn't be seeing the password in the first run also, so thought of having a separate jar in the classpath which I could use to serialise and de-serailise the object and retreive password.

The pojo contains a HashMap. So Admin would create this jar and put it on classpath and application picks the pasword based on username.

Regards,
Ashwin
 
Martin Vashko
Sheriff
Posts: 3837
66
Netbeans IDE Oracle Firefox Browser
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But hiding the password from the user does not make sense to me. If all one needs to work with an application is a username, the application isn't going to be very secure. Practically anyone can get it, right?

I had thought that your application uses a powerful db account which could be used to wreak havoc in the database, and therefore you need to hide the password from the end user. If the end user knew the password, he could abuse the database. Is this understanding of mine correct? (If it is, then the solution is the one I've described above - we can discuss it further, of course).
 
Bartender
Posts: 10780
71
Hibernate Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ashwin Sridhar wrote:My application is just a stand alone application which I build into a jar and execute. The application is started with various input parameters. I am looking for building password matrix from which password could be read back by specifying the username.


Well, for one thing, passwords are generally one-way encryptions and DON'T have a decrypt function. What happens is that the String entered by a user is encrypted and then matched against the stored one. That way, the only thing that is ever stored is an encrypted String. Your only task then is to keep the encryption algorithm (or any key words or phrases that it uses) secret.

Winston
 
Ashwin Sridhar
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Martin,

That is not exactly what I am looking at. I am looking on retreiving password from a matrix or jar.

Regards,
Ashwin
 
Martin Vashko
Sheriff
Posts: 3837
66
Netbeans IDE Oracle Firefox Browser
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm sorry, but I cannot really help then. I don't understand well what are you trying to achieve, and - more importantly - why. I believe you should tell us the why and perhaps choose a different solution altogether. The solution you're currently pursuing has serious shortcomings, as Jesper has already pointed out.
 
Jesper de Jong
Java Cowboy
Posts: 16084
88
Android Scala IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What do you mean by a "matrix"?
 
Ashwin Sridhar
Ranch Hand
Posts: 277
Oracle Spring Flex
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By Matrix , I mean some kind of a repositiry. The main problem is I don't want the user to know the password. I am okay to allow him to login by specifying username alone.
 
Campbell Ritchie
Marshal
Posts: 76811
366
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ashwin Sridhar wrote: . . . I am okay to allow him to login by specifying username alone.

That reduces the security of your app by several orders of magnitude.
 
Lasagna is spaghetti flvored cake. Just like this tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic