Password Matrix

Hi All,

I am trying to figure out a better ways to have DB passwords secure. Currently I specify the password in cfg file during the first run of my application. The password is encryted and written back on the cfg file. On subsequent runs, the passwrod is de-cryted and connection is established.

Now, I have a idea of creating a pojo class , with a hashmap and I create a name-value pair for username-password and serialize the object. Then I de-serialise and retrieve the password from the hashmap.

Please share some ideas about this approach.

Regards,
Ashwin

I thought you let the database handle its own passwords. You use the password function of the database which hashes the password and compares it with a stored hash.

Hi,

I am not sure what you refer by password function of the database. I am connecting to Oracle db.

Ashwin Sridhar wrote:I am trying to figure out a better ways to have DB passwords secure. Currently I specify the password in cfg file during the first run of my application. The password is encryted and written back on the cfg file. On subsequent runs, the passwrod is de-cryted and connection is established.

Do you realise that that's also not really secure? Instead of having the problem of storing the password somewhere, you now have the problem of storing the encryption key somewhere. So the security problem has only moved, and isn't really solved. If a hacker really wants to get into your system, he or she could decompile your source code, find out where the encryption key is and use it to decrypt the password.

Jesper,

I don't forsee any hacking problems in my application. I working on this, so that user may not know the password even in the first run. I agree, de-compiling would show up everything.

Do you suggest any better approach.

What does the application look like? Is it installed on users' machines, or is it a kind of a server application that only administrators can access? Do you need the application to start unattended, or is it always started by someone?

By the way, Oracle supports wide range of security scenarios. You might start to explore the options in the documentation. I'm not an expert on security, but I believe the 2 Day + Security Guide might be a good start.

Martin,

My application is just a stand alone application which I build into a jar and execute. The application is started with various input parameters.

I am looking for building password matrix from which password could be read back by specifying the username.

Regards,
Ashwin

A client-server architecture. Where does the database reside, then?

If it is installed on a local computer, you're out of luck. Anything which is installed on a physically accessible computer can be broken into. The best you can achieve is security by obscurity. And no one will be able to reasonably tell you whether your solution is already obscure enough.

If it resides on a server physically inaccessible to the users, you could use the authentication mechanism of Oracle database. Users will provide their login name and password and you'll use these to connect to the database. Users will be granted the necessary privileges through a role (or several roles).

It's probably not the only possible solution, but perhaps the easiest one, and reasonably robust. To make it really good you'd have to implement the security in the database too - ie. users should not be able to do anything using an SQL client (sql*plus or TOAD) they couldn't do through your application. It might not be easy for a Java developer - we like to handle these things differently - but it has the benefit that the data will be secure regardless of the tool used to access them.

Martin,

I am a bit confused with your suggestion. I am just looking to hide the password from the user. That is my objective. I am wondering what role Database security has to do here.

My current scenerio, the user is ale to see password in the cfg file, during the subsequent runs I am encryting it.

I feel user shouldn't be seeing the password in the first run also, so thought of having a separate jar in the classpath which I could use to serialise and de-serailise the object and retreive password.

The pojo contains a HashMap. So Admin would create this jar and put it on classpath and application picks the pasword based on username.

Regards,
Ashwin

But hiding the password from the user does not make sense to me. If all one needs to work with an application is a username, the application isn't going to be very secure. Practically anyone can get it, right?

I had thought that your application uses a powerful db account which could be used to wreak havoc in the database, and therefore you need to hide the password from the end user. If the end user knew the password, he could abuse the database. Is this understanding of mine correct? (If it is, then the solution is the one I've described above - we can discuss it further, of course).

Ashwin Sridhar wrote:My application is just a stand alone application which I build into a jar and execute. The application is started with various input parameters. I am looking for building password matrix from which password could be read back by specifying the username.

Well, for one thing, passwords are generally one-way encryptions and DON'T have a decrypt function. What happens is that the String entered by a user is encrypted and then matched against the stored one. That way, the only thing that is ever stored is an encrypted String. Your only task then is to keep the encryption algorithm (or any key words or phrases that it uses) secret.

Winston

Martin,

That is not exactly what I am looking at. I am looking on retreiving password from a matrix or jar.

Regards,
Ashwin

I'm sorry, but I cannot really help then. I don't understand well what are you trying to achieve, and - more importantly - why. I believe you should tell us the why and perhaps choose a different solution altogether. The solution you're currently pursuing has serious shortcomings, as Jesper has already pointed out.

What do you mean by a "matrix"?

By Matrix , I mean some kind of a repositiry. The main problem is I don't want the user to know the password. I am okay to allow him to login by specifying username alone.

Ashwin Sridhar wrote: . . . I am okay to allow him to login by specifying username alone.

That reduces the security of your app by several orders of magnitude.