I need to get some sensitive data from an Oracle server to a SQL Server for use in my ASP.NET website. Lets say its passwords. Our security guys say that these passwords need to be secured every step of the way. My website needs to be able to compare user input to these passwords. These passwords must be transferred from the Oracle server to SQL Server at night and can only be used on SQL Server during the day.
The best solution I can come up with is that we need to hash the passwords on Oracle and pass the hashes to SQL Server (lets assume the connection between the two is secure, because that’s not my job 😛 ). Then my ASP.NET web application needs to be able to implement the exact same hashing on user input so we can compare the input hash to the database hash.
So my question is: how can I hash something using the same algorithm/key/salt on Oracle and .NET? I know how to use the .NET hashing functions, but I’m not sure what I can use in Oracle that would be comparable… I could potentially pass them in plain text from ASP.NET to SQL Server and hash them there if that’s easier, but lets call that “Plan B”.
Your datastore should be storing hashed values, on the asp.net side you’ll need to implement an md5 function to convert strings to the hash, and then compare against the hashed value in your db.
http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/d_obtool.htm#i1003449
Oracle does have the ability to use MD5 hash, which you can pass to SQL server and implement, as well as ASP.net.
SQL Server md5
http://www.lazerwire.com/2011/10/ms-sql-md5-hash.html
ASP.net MD5