Home/ Questions/Q 8479029
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T18:54:43+00:00

When you use the Oracle JDBC client library to make an Oracle connection, is

  • 0

When you use the Oracle JDBC client library to make an Oracle connection, is the password or the security-handshake encrypted by default? (Want to know if there is a risk that the password can be sniffed over the wire when making a connection using the Oracle JDBC client library)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The password is always encrypted when in transit over the network.

    That is not to say that it is impervious to attack. If an attacker can obtain the hash of a user’s password and they can monitor network traffic between a legitimate client and the database, then it is possible to obtain the plain-text password.

    For the curious, here is a summary of the authentication process across various versions of the Oracle database software. The steps dealing with the transit of the encrypted password are in bold. It is not entirely intuitive which version of the authentication protocol is being used by the JDBC driver because it doesn’t always match its advertised version. This is because the client can negotiate which protocol it wishes to use. For example, the 11g JDBC driver may not necessarily use the 11g authentication protocol when connecting to an 11g database (it may fall back to the 10g authentication protocol). I forget which drivers use which protocols.

    Authentication protocol in Oracle Database 8

    1. The client requests a server session key for a particular user.
    2. The server generates a server session key.
    3. The server encrypts the server session key using the requested user’s password hash as the secret key.
    4. The server transmits the encrypted server session key to the client.
    5. The client decrypts the encrypted server session key using the user’s password hash as the secret key.
    6. The client encrypts the user’s password using the server session key as the secret key. (proprietary algorithm based on DES)
    7. The client transmits the encrypted password to the server.
    8. The server decrypts the encrypted password using its server session key as the secret key.
    9. The server computes the hash of the decrypted password.
    10. If the computed password hash (from step 9) matches the copy stored on the server, then the user has provided the correct password.

    Authentication protocol in Oracle Database 9i

    1. The client requests a server session key for a particular user.
    2. The server generates a server session key.
    3. The server encrypts the server session key using the requested user’s password hash as the secret key.
    4. The server transmits the encrypted server session key to the client.
    5. The client decrypts the encrypted server session key using the user’s password hash as the secret key.
    6. The client encrypts the user’s password using the server session key as the secret key. (proprietary algorithm based on DES)
    7. The client transmits the encrypted password to the server.
    8. The server decrypts the encrypted password using its server session key as the secret key.
    9. The server computes the hash of the decrypted password.
    10. If the computed password hash (from step 9) matches the copy stored on the server, then the user has provided the correct password.

    Authentication protocol in Oracle Database 10g

    1. The client requests a session key from the server, specifying which user it wishes to connect as.
    2. The server generates a server session key.
    3. The server encrypts the server session key using the requested user’s password hash as the secret key.
    4. The server transmits the encrypted server session key to the client.
    5. The client decrypts the encrypted server session key using the requested user’s password hash as the secret key.
    6. The client generates a client session key.
    7. The client combines the client session key with the server session key.
    8. The client salts the user’s password.
    9. The client encrypts the user’s salted password using the combined session keys (from step 7) as its secret key. (AES-128)
    10. The client encrypts the client session key using the user’s password hash as the secret key.
    11. The client transmits the encrypted client session key and the encrypted, salted user password to the server.
    12. The server decrypts the encrypted client session key using the requested user’s password hash.
    13. The server combines the client session key with its server session key.
    14. The server decrypts the encrypted, salted password using the combined session keys (from step 13) as the secret key.
    15. The server un-salts the salted password.
    16. The server hashes the decrypted password.
    17. The server compares the computed password hash (from step 16) with the stored password hash. If they are equal, the user has provided the correct password.

    Authentication protocol in Oracle Database 11g

    1. The client requests a session key from the server, specifying which user it wishes to connect as.
    2. The server generates a server session key.
    3. The server generates verifier data.
    4. The server encrypts the server session key using the requested user’s password hash as the secret key.
    5. The server transmits the encrypted server session key ("AUTH_SESSKEY") and the verifier data ("AUTH_VFR_DATA") to the client.
    6. The client hashes the user’s password using the verifier data as the salt.
    7. The client decrypts the encrypted server session key using the user’s password hash as the secret key.
    8. The client generates a client session key.
    9. The client combines the client session key with the server session key.
    10. The client salts the user’s password.
    11. The client encrypts the user’s salted password using the combined session keys (from step 9) as its secret key. (AES-192)
    12. The client encrypts the client session key using the user’s password hash as the secret key.
    13. The client transmits the encrypted client session key and the encrypted, salted user password to the server.
    14. The server decrypts the encrypted client session key using the requested user’s password hash.
    15. The server combines the client session key with its server session key.
    16. The server decrypts the encrypted, salted password using the combined session keys (from step 15) as the secret key.
    17. The server un-salts the salted password.
    18. The server hashes the decrypted password.
    19. The server compares the computed password hash (from step 18) with the stored password hash. If they are equal, the user has provided the correct password.
    • 0