blob: 9f5ea02cce91504c2a235e05dbc1cec516f6fd76 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
==================================================================
:class:`passlib.hash.oracle11` - Oracle 11g password hash
==================================================================
.. currentmodule:: passlib.hash
This class implements the hash algorithm introduced in version 11g of the Oracle Database.
It supercedes the :class:`Oracle 10 <passlib.hash.oracle10>` password hash.
.. warning::
This implementation has not been compared
very carefully against the official implementation or reference documentation,
and it's behavior may not match under various border cases.
It should not be relied on for anything but novelty purposes
for the time being.
Usage
=====
PassLib provides an oracle11 class, which can be can be used directly as follows::
>>> from passlib.hash import oracle11 as or11
>>> #generate new salt, encrypt password
>>> h = or11.encrypt("password")
>>> h
'S:4143053633E59B4992A8EA17D2FF542C9EDEB335C886EED9C80450C1B4E6'
>>> or11.identify(h) #check if hash is recognized
True
>>> or11.identify('JQMuyS6H.AGMo') #check if some other hash is recognized
False
>>> or11.verify("password", h) #verify correct password
True
>>> or11.verify("secret", h) #verify incorrect password
False
Interface
=========
.. autoclass:: oracle11()
Format & Algorithm
==================
An example oracle11 hash (of the string ``password``) is:
``S:4143053633E59B4992A8EA17D2FF542C9EDEB335C886EED9C80450C1B4E6``
An oracle11 hash string has the format :samp:`S:{checksum}{salt}`, where:
* ``S:`` is the prefix used to identify oracle11 hashes
(as distinct from oracle10 hashes, which have no constant prefix).
* :samp:`{checksum}` is 40 hexidecimal characters;
encoding a 160-bit checksum.
(``4143053633E59B4992A8EA17D2FF542C9EDEB335`` in the example)
* :samp:`{salt}` is 20 hexidecimal characters;
providing a 80-bit salt (``C886EED9C80450C1B4E6`` in the example).
The Oracle 11 hash has a very simple algorithm: The salt is decoded
from it's hexidecimal representation into binary, and the SHA-1 digest
of :samp:`{password}{raw_salt}` is then encoded into hexidecimal, and returned as the checksum.
Deviations
==========
PassLib's implementation of the Oracle11g hash may deviate from the official
implementation in unknown ways, as there is no official documentation.
There is only one known issue:
* Unicode Policy
Lack of testing (and test vectors) leaves it unclear
as to how Oracle 11g handles passwords containing non-7bit ascii.
In order to provide support for unicode strings,
PassLib will encode unicode passwords using ``utf-8``
before running them through Oracle11.
This behavior may be altered in the future, if further testing
reveals another behavior is more in line with the official representation.
.. rubric:: Footnotes
.. [#] Description of Oracle10g and Oracle11g algorithms -
`<http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/>`_.
|
