This discussion is archived
13 Replies Latest reply: Nov 21, 2009 6:12 AM by Scott RSS

md5 encryption!

Kod Newbie
Currently Being Moderated
I made a form, and through the form I need to insert password in one column of the table. The value that is going to be inserted need to be hashed!

So I made a function that's return md5 hash.

CREATE OR REPLACE
function md5( input varchar2 ) return sys.dbms_obfuscation_toolkit.varchar2_checksum as
begin
return sys.dbms_obfuscation_toolkit.md5( input_string => input );
end;


How I can call this function in the form and insert hashed value in the table?

Thanks!
  • 1. Re: md5 encryption!
    Hari_639 Guru
    Currently Being Moderated
    Better you handle this at trigger level
    :new.password := dbms_obfuscation_toolkit.md5( :new.password);
    Cheers,
    Hari
  • 2. Re: md5 encryption!
    Kod Newbie
    Currently Being Moderated
    Ok. But can I just call function some where in form?
  • 3. Re: md5 encryption!
    Hari_639 Guru
    Currently Being Moderated
    You can call it any where in the form where you can write pl/sql or sql.

    For e.g. in page process
    BEGIN
    
    INSERT INTO tbl (password) VALUES ( dbms_obfuscation_toolkit.md5(input_string=>:P1_PASSWORD));
    
    END;
    For any item source (source type SQL query)
    SELECT dbms_obfuscation_toolkit.md5(input_string=>:P1_PASSWORD) FROM dual;
    Hope it helps

    Cheers,
    Hari
  • 4. Re: md5 encryption!
    723295 Newbie
    Currently Being Moderated
    Hi!

    I use this:

    UPDATE mytable
    SET mypass = DBMS_CRYPTO.HASH (UTL_RAW.cast_to_raw (:P1_PASS), 2)
    WHERE myid = :P1_ID;

    I hope so I helped
    PaZso
  • 5. Re: md5 encryption!
    Scott Oracle ACE Director
    Currently Being Moderated
    I think that its important to note that MD5 is NOT - repeat, NOT - encryption, but rather a hash function. While on the surface they are similar they are very different things.

    Basically, encryption is a two-way algorithm, where as a hash function is one-way. Thus, you can decrypt something that is encrypted, but you can not un-hash something that has been hashed (in theory and largely in practice).

    Thus, your approach is mostly correct, but I think that you simply called it something that it is not.

    The one flaw that you do have is that you are simply using a raw MD5 hash function on your passwords. For an experienced and dedicated hacker, this is a mere inconvenience for them, as they can easily launch a hashed dictionary attack against your password column and likely get a number of hits back.

    The best way to combat this is to use what is called a salt as part of your hash function. Rather than just hashing the password column, concatenate some constant to the beginning and/or end of the string, and then hash that. You'll also have to do the same when making comparisons. This small change is enough to make a MD5 dictionary attack useless - so as long as you protect the salt. You can do this by wrapping the function that creates your hash and/or storing the salt in an encrypted table.

    Have a look at the functions in the APEX sample application for an example of this approach.

    Thanks,

    - Scott -

    http://sumnertechnologies.com/
    http://spendolini.blogspot.com/
  • 6. Re: md5 encryption!
    Kod Newbie
    Currently Being Moderated
    Thanks for replay! But i still can't insert hashed value!

    When I chose for a password field item source- SQL query and put in Alternate Source this code:

    SELECT dbms_obfuscation_toolkit.md5(input_string=>:P6_PASSWORD) FROM dual;

    where P6_PASSWORD is item name, a get a errors:

    ORA-00907: missing right parenthesis
    Error      ERR-1019 Error computing item default value: page=6 name=P6_PASSWORD

    Edited by: Kod on Nov 6, 2009 12:12 AM
  • 7. Re: md5 encryption!
    Hari_639 Guru
    Currently Being Moderated
    Hi Kod,

    Could you explain what you are try to do?

    If you have P6_PASSWORD item, where user will enter the 'password text' and you want it to get 'hashed' after submit, then I suggest create a 'after Submit computation' for P6_PASSWORD item, select type as 'SQL Query' and put the following in 'Computation' source
    SELECT dbms_obfuscation_toolkit.md5(input_string=>:P6_PASSWORD) FROM dual; 
    Cheers,
    Hari
  • 8. Re: md5 encryption!
    Kod Newbie
    Currently Being Moderated
    I am trying to do just that like you are wrote!
    Simply, user insert text for a password in form field and after that the hashed value of the submitted text insert in the password column!

    I done everything like you are wrote:
    First I'm created computation for the item.
    For name i chose P6_PASSWORD;
    For Type i chose SQL query;
    For Computation Point i chose After Submit;
    And in the Computation i put this:

    SELECT dbms_obfuscation_toolkit.md5(input_string=>:P6_PASSWORD) FROM dual;

    Now when i try to submit form i am getting this errors:

    ORA-00907: missing right parenthesis
    Error      ERR-1003 Error executing computation query.

    Thanks!
  • 9. Re: md5 encryption!
    Hari_639 Guru
    Currently Being Moderated
    I think some other part of your page is causing this error. Try to run the page in DEBUG mode and see where actually the error is coming..

    Cheers,
    Hari
  • 10. Re: md5 encryption!
    TexasApexDeveloper Guru
    Currently Being Moderated
    Whenever I have used the md5 function, I wrap it in a local function and include the suggested salt value to make the value harder to crack..

    Just a suggestion,

    Thank you,

    Tony Miller
    Webster, TX
  • 11. Re: md5 encryption!
    Hari_639 Guru
    Currently Being Moderated
    Hi Kod,

    I think your underlying database is not 11g?

    Before 11g, we can't call functions with 'named parameters' in SQL. This restriction uplifted in 11g.

    So choose computation type as 'PLSQL Expression' and just put following in computation section
    dbms_obfuscation_toolkit.md5(input_string=>:P6_PASSWORD);
    Cheers,
    Hari
  • 12. Re: md5 encryption!
    603257 Journeyer
    Currently Being Moderated
    Or just call it as an un-named parameter! :)
    dbms_obfuscation_toolkit.md5(:P6_PASSWORD);
    As well as the "salt" it is also a good idea to base the hash upon the unique user attribute (user_id, user_name etc). This means that for two users with the same password, the hash is different. Otherwise, if I could see all the hashed passwords and saw that someone else had the same hashed password as me then I would know that their password was the same as I'd used!!
  • 13. Re: md5 encryption!
    Scott Oracle ACE Director
    Currently Being Moderated
    A salt isn't just a good idea, it's absolutely necessary.

    Have a look at this site: http://milw0rm.com/cracker/list.php?start=0

    Enter in a raw MD5 hash, out comes a (weak) password. Sure, it's brute force, but that doesn't make it unachievable.

    Thanks,

    - Scott -

    http://sumnertechnologies.com/
    http://spendolini.blogspot.com/

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points