Shulou(Shulou.com)06/01 Report--

Password hash value is adjusted in Oracle 12c database

Simeon

Original text link:

Https://www.trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-12c-password-hashes/

Oracle improved user password hashing in Oracle Database 12c. By using the SHA512 hash algorithm based on PBKDF2 to replace the simple SHA1 hash encryption in the past, the password hash is made more secure. In this article, I will explain some of the changes and their security implications.

1.Oracle password hash value

When using the Oracle 11g database, the spare4 column in the sys.user$ table stores the user password hash value.

This is an example of input for sys.user$.spare4 user demo using the password "epsilon" (which can be inserted into the database):

Spurs 8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A "Hutchison DC9894A01797D91D92ECA1DA66242209" TDevon23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8B14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EB4FD478FB7C7CBBAC57BA3E22C

Detailed steps:

SQL > create user demo identified by epsilon

User created.

SQL > select spare4 from sys.user$ where name = 'DEMO'

Spurs 8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A "Hutchison DC9894A01797D91D92ECA1DA66242209" TDevon23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8B14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EB4FD478FB7C7CBBAC57BA3E22C

Author's note: query oracle users must be uppercase names

The password values of sys.user$.password and demo users are the same:

SQL > select password from sys.user$ where name = 'DEMO'

Running result:

2B7983437FE9FEB6

The author's note:

Execute the query select password from sys.user$ where name = SYS'; as shown in figure 1.

Figure 1 get the SYS user password value

This omits the discussion of the password value: it uses the same algorithm (uppercase and connection username and password, and then performs the 3DES hash), the same algorithm used in previous versions of the Oracle database.

The value in the spare4 column consists of three parts separated by semicolons ("S:", "H:" and "T:").

The "S:" section is 60 characters or 30 bytes long:

8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A

The "H:" section is 32 characters or 16 bytes long:

DC9894A01797D91D92ECA1DA66242209

Finally, the "T:" section is 160 characters or 80 bytes long:

23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C

So what exactly do they mean?

2. S part

There is an "S:" section in Oracle Database 11g, which is created as follows:

Password hash (20 bytes) = sha1 (password + salt (10 bytes))

(for more details, visit http://marcel.vandewaters.nl/oracle/security/password-hashes. )

The same is true of Oracle Database 12c: the following simple test proves this.

For the value above S (8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A):

The hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C salt is 6271691FC55C1F56554A

The password is "epsilon", so let's calculate the SHA1 hash 'epsilon' + 0x6271691FC55C1F56554A:

Import hashlib

Sha1 = hashlib.sha1 ()

Sha1.update ("epsilon")

Sha1.update ('\ x62\ x71\ x69\ x1f\ xc5\ x5c\ x1f\ x56\ x55\ x4a')

Sha1.hexdigest () .upper ()

The calculation produces: '8F2D65FB5547B71C8DA3760F10960428CD307B1C, as shown in figure 2.

Figure 2 calculating the password value of epsilon

This is the same as the 11g algorithm.

3.h part

You can see this when you look at an SQL file under $ORACLE_HOME/rdbms/admin:

Create or replace view DBA_DIGEST_VERIFIERS

(USERNAME, HAS_DIGEST_VERIFIERS, DIGEST_TYPE) as

Select u.name, 'YES',' MD5' from user$ u where instr (spare4, 'Hpurs') > 0

Union

Select u.name, 'NO', NULL from user$ u where not (instr (spare4,' spare4') > 0) or spare4 is null

/

So it seems to be a MD5 hash encryption.

Note that the following SQL code $ORACLE_HOME/rdbms/admin modifies the value of the spare4 column to remove the H: degradation.

This is how spare4.H calculates: the user name is uppercase, then the MD5 hash encryption calculates its value, and the 'XDB' and password are separated by colons (that is, md5 (' DEMO:XDB:epsilon'), 32-bit encryption):

Import hashlib

M = hashlib.md5 ()

M.update ('DEMO:XDB:epsilon')

M.hexdigest () .upper ()

'DC9894A01797D91D92ECA1DA66242209'

This makes it possible to use the hash value of the pre-computed password dictionary to * the built-in user password, such as the system user password with the prefix SYSTEM:XDB:.

This H value appears to be used for digest authentication in XDB.

4.T part

This applies only to 12.1.0.2. For versions prior to 12c, part T is not available.

We enable 12c password hashing by updating the sqlnet.ora file (assuming the client is from the 12.1.0.2 release):

# sqlnet.ora

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12a

Then recreate the demo user (reconnect the client first):

Drop user demo

Create user demo identified by epsilon

Select spare4 from sys.user$ where name = 'DEMO'

Havin DC9894A01797D91D92ECA1DA66242209E3243B98974159CC24FD2C8B30BA62E0E83B6CA2FC7C5517C3A7F82602E3BDD17CEB9B909CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B

Notice that the spare4 value no longer contains the "S:" section, only the "H:" section and the "T:" section are there.

We can find this in the Oracle Database 12c documentation:

5. About 12C verifier

Based on an optimization algorithm that includes PBKDF2 and SHA512, the password should be generated through PBKDF2, followed by SHA512. During authentication, the server sends the so-called AUTH_VFR_DATA (the last 16 bytes of the matching value spare4.T) to the client:

-- Server to client packet snippet

39 39 39 00 00 00 0D-00 00 00 0D 41 55 54 48 999.AUTH

5F 56 46 52 5F 44 41 54-41 20 00 00 00 20 38 44 _ VFR_DATA.8D

44 31 42 45 33 46 36 37-42 46 39 38 31 33 41 D1BE3F67BFF9813A

34 36 34 33 38 32 33 38-31 41 42 33 36 42 15 48 464382381AB36B.H

So we can divide this T value into two parts (the first 64 bytes and AUTH_VFR_DATA):

E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD (first 128characters or 64 bytes) 8DD1BE3F67BFF9813A464382381AB36B (last 32 characters or 16 bytes AUTH_VFR_DATA)

Assume that the AUTH_VFR_DATA password is randomly generated when it is set / reset. So the first 64-byte T generated by the Python code is (requires the PBKDF2 Python module):

Import pbkdf2, hashlib

AUTH_VFR_DATA = b'\ x8d\ xd1\ xbe\ x3f\ x67\ xbf\ xf9\ x81\ x3a\ x46\ x43\ x82\ x38\ x1a\ xb3\ x6b' # This is received from the server once the latest protocol is negotiated

Salt = AUTH_VFR_DATA + baked Auth PBKDF2SPEEDYY key'

Key = pbkdf2.PBKDF2 ("epsilon", salt, 4096, hashlib.sha512) # Password

Key_64bytes = key.read (64) # This 64-byte derived key is encrypted by the client and sent to the server as AUTH_PBKDF2_SPEEDY_KEY

T = hashlib.sha512 () # This happens on the server after they key is decrypted from the AUTH_PBKDF2_SPEEDY_KEY value

T.update (key_64bytes)

T.update (AUTH_VFR_DATA)

T.hexdigest () .upper () # First 64 bytes of spare4.T: value if password is correct

Running result:

E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD

Summary

Oracle added MD5 hash and PBKDF2-based SHA512 hash encryption in 12c. There is a reference in the Oracle document:

The hash cipher function used to generate 12C authentication is based on a non-optimized algorithm that contains PBKDF2 and SHA-512. PBKDF2 algorithm is usually introduced as an asymmetric algorithm when the verifier with 12C retrieves the original password and faces the challenge faced by the verifier.

The author's note: due to the existence of Oracle 12C verifier, the password of Oracle can be obtained by brute force cracking by grabbing the package, which is supplemented by the author.

Brief introduction of 6.PBKDF2 and its algorithm

(1) introduction to PBKDF2

PBKDF2 simply means to recalculate the salted hash many times, and this number of times is optional. If the time required for one calculation is 1 microsecond, it takes 1 second to calculate 1 million times. If * there are 10 million rainbow table required for a password, it takes 115 days to set up the corresponding rainbow table. The price is enough to make most people forget and fear.

(2) PBKDF2 algorithm

DK = PBKDF2 (PMAE SMA cJM dkLen)

Optional: RPF basic pseudorandom function (hLen represents the byte length of the pseudorandom function output)

Enter:

P password, one byte string

S salt value, byte string

C iterations, positive integers

The specified byte length of the dkLen export key, positive integer, approximately (2 ^ 32-1) * hLen

Output: DK export key, length dkLen bytes

Steps:

1. If dkLen > (2 ^ 32-1) * hLen, output "derived key too long" and stop.

2. Suppose l is the number of hLen byte blocks in which the key is exported, and r represents the number of bytes in the last block.

L = CEIL (dkLen / hLen)

R = dkLen-(l-1) * hLen.

Here, CEIL (x) is the "ceiling" function, that is, the smallest integer greater than or equal to x.

4. For each block of the exported key, the function F is applied to the password P, salt S, iterations c, and block index to calculate the block:

Toner 1 = F (P, S, c, 1)

Toner 2 = F (P, S, c, 2)

...

Tronl = F (P, S, c, l)

Here the function F is defined as the basic pseudo-random function PRF applied to the concatenation of password P and salt S and the XOR sum of the first c cycles of the block index I.

F (P, S, c, I) = Ubun1\ xor Ubun2\ xor...\ xor Ubunc

Among them

Ubun1 = PRF (P, S | | INT (I))

Upright 2 = PRF (P, upright 1)

...

Ubunc = PRF (P, U{ cmur1}).

Here, INT (I) is the four-byte encoding of the integer I, with high bytes first.

3. Concatenate the blocks and extract the first dkLen bytes to generate the export key DK:

DK = Troup1 | | Troup2 | |... | | Troul

4. Output the export key DK.

Note: the construction of function F follows the "belt-and-suspenders" method. Usingi loops are recursively calculated to eliminate adversaries' parallelism; they are XOR together to reduce concerns about recursion degenerating to a small set of values.

Password decryption:

Select username, password from dba_users

Hashcat-m 10200-a 0 oracle.hash-o oracle.txt-- remove oracle.hash wordlist.txt

Hashcat-m 1800-a 3 oracle.hash? d?d?d?d?d?d?d?d?d?d?d

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.