Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks?

Question

Reading the "What Are the Oracle Database Built-in Password Protections?" from http://docs.oracle.com/cd/B28359_01/network.111/b28531/authentication.htm#DBSEG30031 I see AES encryption is used as well as SHA-1 hashing.

I understand that data in-transit over the network is unencrypted, but the initial session setup and authentication is suppose to not send the password in the clear.

So WITHOUT using Oracle Advanced Security (for full network layer encryption) does the built-in method prevent pass-the-hash or replay attacks?

Is there some type of noonce?

I'm guessing the AES is done with the user's password or is the key exchanged some other way?

Advanced Security allows wrapping the connections in certificate based SSL/TLS. — eckes, Jan 04 '14 at 06:03

score 1 · Answer 1 · answered Jan 04 '14 at 06:02

I assume you are talking about the TNS login process and not about the stored hashes. But just in case: Oracle up to 10 stored password hashes as simple 2-iteration DES over uppercased user+password since 11.1 it is a salted SHA-1.

For the TNS Logins with password authentication (there are others like Kerberos), the protocol use a challenge response where the password hash is encrypted with a session key. Starting with 10g the session key is larger and contains a client and a server part (as opposed to only a server part before).

The most problematic aspect of this is, that if you have the password hash you can use it to brute force a sniffed login package.

So short answer to your question: yes (but it is not very secure).

Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks?

1 Answers1