Storing and Managing Password Verifiers for Authenticating to Oracle Internet Directory

Oracle Internet Directory stores a user's directory password in the userPassword attribute. You can protect this password by storing it as a Base64 encoded string of a one-way hashed value by using one of Oracle Internet Directory's supported hashing algorithms. Storing passwords as one-way hashed values--rather than as encrypted values--more fully secures them because a malicious user can neither read nor decrypt them.

Beginning with Release 9.0.4, Oracle Internet Directory stores the user password in a reversible encrypted format in an operational attribute called orclrevpwd. This attribute is generated only if the attribute orclpwdencryptionenable in the password policy entry is set to TRUE. The orclrevpwd attribute can be queried only by using the SSL one-way and two-way authentication mechanisms. This attribute cannot be queried over non-SSL sessions.

This section contains these topics:

• Password Verifiers and Authentication to the Directory

• Hashing Schemes for Creating Password Verifiers

• Managing Password Protection by Using Oracle Directory Manager

• Managing Password Protection by Using ldapmodify

Password Verifiers and Authentication to the Directory

During authentication to a directory server, clients supply a password to the directory server in clear text. The directory server hashes this password by using the hashing algorithm specified in the attribute userpassword. It then verifies it against the hashed password stored in the binding entry's userPassword attribute. If the hashed password values match, then the server authenticates the user. If they do not match, then the server sends the user an "Invalid Credentials" error message.

Hashing Schemes for Creating Password Verifiers

During installation, Oracle Universal Installer prompts you to set the one-way hashing scheme for protecting user passwords to the directory. It presents you with these options:

• MD4 --A one-way hash function that produces a 128-bit hash, or message digest

• MD5--An improved, and more complex, version of MD4

• SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

• SSHA--Salted Secure Hash Algorithm. This is similar to SHA, but is generated by using a random salt with the password.

• SMD5--Salted MD5. This is similar to MD5, but is generated by using a random salt with the password.

• UNIX Crypt--The UNIX hashing algorithm

The hashing algorithm value you specify at installation is stored in the orclCryptoScheme attribute in the root DSE. You can change that value by using either Oracle Directory Manager or ldapmodify.

Managing Password Protection by Using Oracle Directory Manager

You must be a super user to manage password protection by using Oracle Directory Manager.

To change the type of password protection by using Oracle Directory Manager:

1. In the navigator pane, expand Oracle Internet Directory Servers and select the directory server instance for which you want to reset password hashing. The corresponding tab pages for that directory server appear in the right pane.

2. In the System Operational Attributes tab page, in the Password Encryption field, select the type of password hashing you want to use. Options are:
   • MD4

   • MD5

   • No Encryption

   • SHA

   • UNIX Crypt

   • SSHA

   • SMD5

3. Choose Apply.

   Note: The No Encryption option specifies that user passwords are stored in clear text.

Managing Password Protection by Using ldapmodify

The following example changes the password hashing algorithm to SHA by using an LDIF file named my_ldif_file:

ldapmodify -D cn=orcladmin -w welcome -h myhost -p 389 -v -f my_ldif_file

The LDIF file, my_ldif_file, contains:

dn:
changetype: modify
replace: orclcryptoscheme
orclcryptoscheme: SHA

See Also: "Protection of User Passwords for Directory Authentication"