How to Encrypt Authentication and Data to DB?

jimw54321 has asked for the wisdom of the Perl Monks concerning the following question:

Greetings,

Really need ideas and feedback for my thinking below.

I have a problem where various people around me insist that Perl must be able to take an encrypted username and password and authenticate encrypted to our database.

Currently I have DBI/DBD::Oracle installed on Solaris boxes talking with Oracle 11g on Red Hat both of which are inside our firewall.

I am considering proposing I put our files containing database usernames and passwords in directories and files only accessible by the owner (500 for directories and 400 for files to prevent accidental modification).

I have been maintaining that the Perl process will read the files (encrypted or not) and generate username and password in memory in unencrypted form. Furthermore the unencrypted username and password are sent across our network in the clear.

Bottom line: is anyone aware of a way to use some form of encrypted authentication? Data encryption would be an awesome bonus. Does this require modules from CPAN other than DBI/DBD::Oracle?

Much thanks for the help,

Jim

Comment on How to Encrypt Authentication and Data to DB?

Replies are listed 'Best First'.
Re: How to Encrypt Authentication and Data to DB? by nikosv (Deacon) on Jan 28, 2015 at 22:03 UTC
Oracle supports network level encryption,which means all your data and passwords can be transfered over SSL. You don't have to encrypt and decrypt credentials yourself Check https://kb.berkeley.edu/page.php?id=23274	[reply]
Re: How to Encrypt Authentication and Data to DB? by locked_user sundialsvc4 (Abbot) on Jan 27, 2015 at 23:07 UTC
First of all, seriously consider using LDAP (a.k.a. Microsoft OpenDirectory) instead. This is probably the most widely used strategy for centralized management of authentication and authorization throughout an enterprise, and its use generally requires the construction of no software at all. There are plenty of administrative consoles out there which a security department can easily use to manage this information across all systems, and there is nothing to invent nor particularly to write. Secondly, it is most common to store one-way-hashed values (SHA1 is recommended today over MD5) in any database store. These functions produce a “digital signature” which is extremely sensitive to changes but which cannot be reversed. Hashed values, not plaintext, are the only thing sent across the wire (which should nonetheless be an encrypted, e.g. VPN, connection).
Re^2: How to Encrypt Authentication and Data to DB? by stonecolddevin (Parson) on Jan 28, 2015 at 23:13 UTC
(SHA1 is recommended today over MD5) Use Crypt::Eksblowfish::Bcrypt if you're doing any sort of encryption like this. I mean, MD5 shouldn't even be mentioned in encryption context. Three thousand years of beautiful tradition, from Moses to Sandy Koufax, you're god damn right I'm living in the fucking past	[reply]