In a client-server application: How to send to the DB the user's application password?

Question

I have an Java desktop application wich connects directly with the DB (an Oracle). The application has multiple user accounts. What is the correct method to send the user's password (not DB password) over the network? I don't want to send it in plain text

Answer 1

If you don't want to send the data in plain text, use encryption !!!

Use some encryption algorithm such as AES, Twofish etc.

You must also take into consideration where your client and server are. If they both are in the same machine, there is no use of using an encryption. If they are in different machines, use some encryption algorithm to send sensitive data.

If YOU are checking the validity of the passwords, you can just send the hash of the password. Beware that this method will work only if you are comparing the password yourself. If some other application (out of your control) is doing the validation job, you cannot hash the password.

Answer 2

You could connect over a secure socket connection, or hash the password locally before sending it to the database (or better, both) - Ideally, the only time the password should exist in plain text form is prior to hashing. If you can do all of that on the client side, more the better.

Answer 3

Agreed, never send the password the user chose in plaintext. However, short of using public key cryptography, if you email them a password, it's going to be in cleartext. One thing I've seen often happen is that when the user forgets the password and requests it being sent to them, the system generates a new password and sends that one to the user. The user can then change the password.

This way, the password the user chose (which the user might use elsewhere) is never sent, while their temporary password is sent in plaintext, they should change it soon after.

Answer 4

You can use SSL connection between Oracle client and Oracle database. To configure SSL between oracle client and server using JDBC:

At server side:

1) First of all, the listener must be configured to use the TCPS protocol:

LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)))

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path/)))

At client side:

1) following jars needs to be classpath ojdb14.jar, oraclepki.jar, ojpse.jar

2) URL used for connection should be: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))

3) Following properties needs to be set (either as System property (-D options) or properties to connection) javax.net.ssl.trustStore, javax.net.ssl.trustStoreType, javax.net.ssl.trustStorePassword

Reference: http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/wp-oracle-jdbc_thin_ssl_2007.pdf

Answer 5

If you connect directly to the DB with no middle layer, you should consider using a DB user for each real user, because otherwise you can't really secure the access of the application.

If you connect to Oracle with ORa*Net the user password is automatically encrypted (since Oracle 8) however it might fall back to unencrypted passwords in some situations. This can be disabled with ORA_ENCRYPT_LOGIN=true in the environment of the client.