DOAG Konferenz 2016

Oracle Logon Security: Last Man Standing

Database Authentication Methods – A Practical Comparison

DOAG Konferenz 2016

Jan SchreiberLoopback.ORG GmbH, Hamburg

Database Operations &Security

Data Warehouse & Business Intelligence

Oracle Architektur &Performance

DOAG Konferenz 2016

Table

USER: SYSTEMPW: MANAGER

USER: SCOTTPW: TIGER

USER: OLAPSYSPW: OLAPSYS

USER: ANONYMOUSPW: ANONYMOUS

Table 8-2 Oracle 9i Default Accounts and Passwords

DOAG Konferenz 2016Quelle: XKCD

DOAG Konferenz 2016

Oracle Hash Algorithms

3DEShash(upper(username||password))

password hash (20 bytes) = sha1(password

+ salt (10 bytes))

S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;

H:DC9894A01797D91D92ECA1DA66242209;

T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C

Age old:

11gR1:

12.1.0.2:

11g SHA1 hash

12.1.0.1: HTTP Digest (md5digest(‘USER:XDB:password'))

PBKDF2-based SHA2(SHA512) hash

DOAG Konferenz 2016

Fox

The red fox jumps over the blue dog

The red fox jumps oevr the blue dog

The red fox jumps ouer the blue dog

The red fox jumps oer the blue dog

DFCD 3454 BBEA 788A 751A696C 24D9 7009 CA99 2D17

0086 46BB FB7D CBE2 823CACC7 6CD1 90B1 EE6E 3ABC

8FD8 7558 7851 4F32 D1C676B1 79A9 0DA4 AEFE 4819

FCD3 7FDB 5AF2 C6FF 915FD401 C0A9 7DA9 46AF FB45

8ACA D682 D588 4C75 4BF41799 7D88 BCF8 92B9 6A6C

cryptographic hash function

Input Digest

DOAG Konferenz 2016

size number of hashes cum hashes 50% Time (days) time (mins)

1 26 26 0 02 936 962 0 03 33.696 34.658 0 04 1.213.056 1.247.714 0 05 43.670.016 44.917.730 0 06 1.572.120.576 1.617.038.306 0 177 56.596.340.736 58.213.379.042 0 6068 2.037.468.266.496 2.095.681.645.538 8 21.8309 73.348.857.593.856 75.444.539.239.394 273 785.881

10 2.640.558.873.378.820 2.716.003.412.618.210 9.824 28.291.70211 95.060.119.441.637.400 97.776.122.854.255.600 353.646 1.018.501.28012 3.422.164.299.898.950.000 3.519.940.422.753.200.000 12.731.266 36.666.046.07013 123.197.914.796.362.000.000 126.717.855.219.115.000.000 458.325.576 1.319.977.658.53214 4.435.124.932.669.030.000.000 4.561.842.787.888.150.000.000 16.499.720.732 47.519.195.707.16815 159.664.497.576.085.000.000.000 164.226.340.363.973.000.000.000 593.989.946.340 1.710.691.045.458.06016 5.747.921.912.739.070.000.000.000 5.912.148.253.103.040.000.000.000 21.383.638.068.226 61.584.877.636.490.00017 206.925.188.858.606.000.000.000.000 212.837.337.111.709.000.000.000.000 769.810.970.456.125 2.217.055.594.913.640.00018 7.449.306.798.909.830.000.000.000.000 7.662.144.136.021.540.000.000.000.000 27.713.194.936.420.500 79.814.001.416.891.000.00019 268.175.044.760.754.000.000.000.000.000 275.837.188.896.775.000.000.000.000.000 997.675.017.711.138.000 2.873.304.051.008.080.000.00020 9.654.301.611.387.140.000.000.000.000.000 9.930.138.800.283.920.000.000.000.000.000 35.916.300.637.601.000.000 103.438.945.836.291.000.000.000

Password Cracking CalculationsInitinal char keyspace = 16; keyspace = 36; cracker speed = 1.600.000 hash per second

DOAG Konferenz 2016

http://www.tarsnap.com/scrypt/scrypt.pdf (2011)

DOAG Konferenz 2016

Oracle Native Authentication Protocol

ClientOracle

Database Server

Connect [SID]

Resend

Connect [SID]

Accept

....

[Username]

[AUTH_VFR_DATA] (11g Salt)[AUTH_SESSKEY]

[AUTH_SESSKEY][AUTH_PASSWORD ]

Password verificationtakes place. Server authenticates user or responds with error.

DOAG Konferenz 2016

DOAG Konferenz 2016

Secure External Password Store (Wallets)

$ mkstore -wrl /home/jans/oracle/wallet -create$ mkstore -wrl /home/jans/oracle/wallet -createCredential ORCL SYSTEM secret

$ sqlplus /@ORCLSQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016Copyright (c) 1982, 2014, Oracle. All rights reserved.

SQL>

DOAG Konferenz 2016

0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12

password 0x4D - EOF PKCS#12 data (ASN.1 block)

________________________________________________________________________________________

$ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964bp12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c

Secure External Password Store Hacking

http://blogs.loopback.org/2015/11/oracle-wallets-hacken/

DOAG Konferenz 2016

Create new wallet$ echo 1e482XXXXXXXXXX1f1f0b296f6178021c | xxd -p -r > cwallet.key $ ls -lhrt total 18K -rwxr--r-- 1 akira friends 6,5K Nov 24 15:16 ewallet.p12 -rw------- 1 akira friends 6,5K Nov 24 15:16 cwallet.sso -rw-r--r-- 1 akira friends 16 Nov 24 18:28 cwallet.key $ dd if=cwallet.sso of=NewP12wallet.p12 bs=1 skip=77 6560+0 records in 6560+0 records out 6560 bytes (6,6 kB) copied, 0,0240742 s, 272 kB/s

Verify validity$ openssl pkcs12 -in NewP12wallet.p12 -nodes -passin file:cwallet.key MAC verified OK Bag Attributes

friendlyName: orakey localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01

(...)

Set new password$ orapki wallet change_pwd -wallet NewP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Use new wallet$ orapki wallet display -wallet NewP12wallet.p12 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.Enter wallet password: Requested Certificates: User Certificates: Subject: CN=ORCL11G Trusted Certificates: Subject: CN=PX.CORP-PROC01,O=px.corp,ST=Hamburg,C=DE Subject: CN=PX.CORP-ROOT01,O=px.corp,ST=Hamburg,C=DE

DOAG Konferenz 2016

Oracle Internet Directory (OID) / LDAP

(1) ConnectLeonard.Nimoy/BIGDB

Verifies hash, assignes roles and

schema to user

(2) RequestLeonard.Nimoy

(3) ReturnedLeonard.Nimoy

LDAPServer (OID)

Repository for user, rolle & EUS

configuration

SQL> alter user ... identified externally;

DOAG Konferenz 2016

Hashes in OID

DOAG Konferenz 2016

Kerberos-AD-Connection

Verify user data (2)

AD

Domain ControllerKey Distribution Center (KDC)Authentication Service (AS)Ticket Granting Service (TGS)

Authentification(1)User-Ticket TGT (3)

Client-PC

Ticket-CacheCheck ST for application

server with TGT (6)

Request Service Ticket ST with TGT (5)

Domain Login User

Password

TGT (4)

ST (7)

DB Server

Service Ticket to application server (8)

ST verification (9)

Shared key exchange

DOAG Konferenz 2016

Kerberos User LoginSQL> create user USER01 identified externally as 'USER01@TESTED.LCL';User created.SQL> grant connect to user01;

[oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle.  All rights reserved. Password for user01@TESTED.LCL:_______________________________________________________________________________________________

[oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle.  All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: user01@TESTED.LCL    Valid Starting           Expires            Principal 08-Feb-2016 14:11:20  08-Feb-2016 22:11:11  krbtgt/TESTED.LCL@TESTED.LCL 08-Feb-2016 14:11:33  08-Feb-2016 22:11:11  oracle/ioaotow01@TESTED.LCL 08-Feb-2016 14:16:40  08-Feb-2016 22:11:11  oracle/ioaotow01.tested.lcl@TESTED.LCL _______________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle.  All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "USER01@TESTED.LCL

DOAG Konferenz 2016

AD-Integration with Oracle Unified Directory (OUD) & Kerberos

DB FARM

OUD

Database Client

SqlPlus, Java, etc

(EUS)

Map Users,Schema,Roles

Groups

OracleContext

OUD Proxy Setup:• AD-User w/ read privilege• Read privilege on DB-user

data in AD• Oracle Context on LDAP

server• Software: OUD,

WebLogic, ADF• Works with EUS also[linux7 Oracle_OUD1]$ ./oud-proxy-setup

[linux6]$ okinit testuser[linux7]$ oklist

Kerberos Ticket

https://wiki.loopback.org/confluence/x/FQCl

DOAG Konferenz 2016

Kerberos & Database 12c• New Software Stack• RC4-HMAC-NT / W2012 Server• ORA-12638: Credential retrieval failed

– SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5)

Bugs...Reading List:Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab"Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILINGDoc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section.Doc ID 185897.1: Kerberos Troubleshooting GuideMaster Note For Kerberos Authentication (Doc ID 1375853.1)WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain"How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN."Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1)Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNsLaurent Schneider: The long long route to KerberosMicrosoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domainWNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1)Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)

https://wiki.loopback.org/confluence/x/CwCl

DOAG Konferenz 2016

Mimikatz

Quelle: Benjamin Delpy

DOAG Konferenz 2016

Kerberos Golden Ticket

• The entire Kerberos security relies on symmetric keys under “krbtgt” account

• – 128 bits for RC4/AES128• – 256 bits for AES256• And once generated, these keys aren’t

changed in years– only during domain functional

upgrade from NT5 -> NT6– 2000/2003 to 2008/2012– 2008 -> 2012 doesn’t change the value– the previous one (n-1) still valid…

Quelle: Benjamin Delpy

DOAG Konferenz 2016

PKI-Authentication

Private Key Private KeyUser / Application

Database

Certificate Authority (CA)

User.csr

SSL Handshake

User/CACerts

DB.csr

DB/CACerts

DOAG Konferenz 2016

PKI: Certificates and Wallets

Database Server1. Create empty wallet2. Create Key and Certificate Request 3. Sign Request by CA (e.g. CN=db12c)4. Inport CA Certificate (CN=myCA)5. Import signed server certificate

Database Client1. Create empty wallet2. Create Key and Certificate Request 3. Sign request by CA (e.g. CN=jans)4. Import CA certificate (CN=myCA)5. Import signed user certificate

DOAG Konferenz 2016

Display Wallet

[oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_1/network/pkiOracle PKI Tool : Version 11.2.0.3.0 - ProductionCopyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved._________________________________________________________________________________________ Requested Certificates:User Certificates:Subject:        CN=LOOPDSTrusted Certificates:Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USSubject:        CN=LBO Root Certificate II,OU=LoopCA,O=Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DESubject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=USSubject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=USSubject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USSubject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US 

DOAG Konferenz 2016

PKI: Login using certificate

SQL> create user JANS identified externally as 'CN=jans';SQL> grant create session to JANS;

$ sqlplus /@DB12CConnected.SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')---------------------------------------------------tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')-----------------------------------------------------SSL

DOAG Konferenz 2016

Windows AD CA with Autoenrollment

DOAG Konferenz 2016

Linux-Workstations:

DOAG Konferenz 2016

Benefit AnalysisFeature Passwords Pwd Wallets Kerberos SSL-PKI EUS

Password theft protection ✔ ✔ ./.

Reduced administrative overhead per user account ✔ ✔ ✔Audit proof ✔ ✔ ./.

Central user and password administration ✔ ✔Central role administration ✔Serves technical users ✔ ✓ ✔ ✔Serves human users ✔ ✔ ✔Minimal rollout difficulty ✔ No additional license costs ✔ ✔ ✔ ✔ No directory dependence ✔ ✔

DOAG Konferenz 2016

Jan Schreiber, Loopback.ORG GmbH, Hamburg

database intelligence | operations excellence | bi solutions

jans@loopback.org

blogs.loopback.org

Thank you very much for your attention!