Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Security firm considers changing its policy on public disclosure of security vulnerabilities"] [Next entry: "Wifred notes that Patch has a bug in Oracle forms"]


I saw a post on Eddie Awad's blog last week and made a not to have a look. The post is titled "Pre DBMS_RANDOM". This is an interesting post that shows how random numbers were generated pre DBMS_RANDOM. Eddie shows some code from an Oracle Applications package that uses a seed and a date as the randomizing factor. There are known issues with DBMS_RANDOM in that if the seed is not long enough the number generated is not random enough. It is better to use the DESGETKEY function in DBMS_OBFUSCATION_TOOLKIT as this uses the FIPS-140 random number generator.

Nice blog entry though, useful to see how it was done. Its not too difficult to see how any encryption that uses a key generated by Eddies package might be broken with knowledge of the time frame it was encrypted and the seed value.