Oracle listener password encryption-simeon技术专栏

欲忘树

Oraclelistener password encryption
Oracle clients were able to remotely administer the Listener service with the lsnrctl utility. These administrative functions in Oracle versions before 10.1 were enabled by default and a password was used to authenticate clients connecting to the service. In the 10.1 and later versions of Oracle, the administrative functions are disabled by defaultso the listener password is usually not set.　　This article gives an overview of the hashing function used to store Oracle listener passwords in version 10g and 11g. The algorithm is described in a detailed level and a sample implementation is provided (written in Python using pyDES [3]). Special thanks to Gergely Toth and Laszlo Toth, who reviewed this article.
　　The Oracle listener stores the listener password in a file named 搇istener.ora [2]. The password is hashed with a one way function described below. Result of the function is a number consisting of eight bytes. This number is converted to a 16 character long string containingthe hexadecimal digits in a human readable form.
　　The algorithm used to calculate the listener password hashes is not openly documented for Oracle version 10g and 11g (see [4] for the listener hash in Oracle version 9i). The steps are similar to the OraclePassword Hashing Algorithm published in [1], however there are differences in converting the password before feeding it to the DES CBC encryption.
　　We call the function which converts the password into to 8-byte-long data blocks for DES encryption as 揑nitial Permutation later in this article. Then the order of bytes in every four byte blocks is reversed (i.e. 0x0102030405060708 is converted to 0x0403020108070605) before given to the encryption function.
　　The pseudo code for the 揑nitial Permutation function:
　　1. Concatenate the string "Arb" and the password to produce a plaintext string;
　　2. Convert the plaintext string to uppercase characters;
　　3. Expand the plaintext string with zero bytes so that the length is a multiple of 4;
　　4. Swap the order of every byte pair;
　　5. Convert the bytes generated in previous steps to multi-byte storage format: all characters and zero bytes have the high byte set to 0x00; now the length is the multiple of 8.
　　The hashing method:
　　1. Use the 揑nitial Permutation function to convert thepassword into an eight-byte-long data blocks for DES;
　　2. Reverse the order of bytes in every four byte blocksas mentioned above;
　　3. Encrypt the plaintext string using the DES algorithmin cipher block chaining (CBC) mode with a fixed key value of 0x0123456789ABCDEF;
　　4. Encrypt the plaintext string again with DES-CBC using the last block of the result of step 4 as the encryption key;
　　5. The last block from the output of step 4 is converted into a printable hexadecimal string.
　　An example for password "1234567890":
　　StepStringHexadecimal1.Arb123456789041 72 62 31 32 33 34 35 36 37 38 39 302.ARB123456789041 52 42 31 32 33 34 35 36 37 38 39 303.ARB1234567890...41 52 42 31 32 33 34 35 36 37 38 39 30 00 00 004.RA1B32547698.0..52 41 31 42 33 32 35 34 37 36 39 38 00 30 00 005.R.A.1.B.3.2.5.4.7.6.9.8...0.....52 00 41 00 31 00 42 00 33 00 32 00 35 00 34 0037 00 36 00 39 00 38 00 00 00 30 00 00 00 00 00
　　REFERENCES
　　[1] An Assessment of the Oracle Password Hashing Algorithm (2005)
　　Authors: Joshua Wright, Carlos Cid
　　http://www.isg.rhul.ac.uk/~ccid/publications/oracle_passwd.pdf
　　[2] Oracle Database Listener Security Guide - Integrigy White Paper (2007)
　　Authors: Stephen Kost and Jack Kanter
　　http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf
　　[3] A pure python module which implements the DES and Triple-DES encryption algorithms.
　　http://sourceforge.net/projects/pydes/
　　[4] Topic: Key and algo for encrypting the listener password
　　http://www.petefinnigan.com/forum/yabb/YaBB.cgi?board=ora_sec;action=display;num=1185585279
　　SOURCE CODE
　　Pythonimplementation (using the pyDes module)
　　The first command line argument is the password to hash.