management has become a major drain on corporate resources,
especially those with dozens of applications, each with their own
passwords cryptic passwords requirements, and password aging
methods. As a result, end-users are forced with write-down lists of
their passwords, and some larger Oracle shops have a full-time
employee dedicated to fixing "I forgot my password"
The use of
passwords to validate access rights dates back to Roman times, and
thousands of years ago Roman soldiers memorized spoken passwords to
gain access to camps. I imagine that the Romans probably used
Roman passwords phrases,
maybe like these:
Sharpei Diem - Seize the wrinkled dog
Non Carborundum - Don't let the DBA wear you down
Quantum materiae materietur marmota monax si marmota monax
materiam possit materiari? - How much wood would a woodchuck
chuck if a woodchuck could chuck wood?
Domino vobiscum - The pizza guy is here
ut gaudeam - Make my day
Anyway, as our access
requirements became more sophisticated over the next two
millenniums, the age-old problem of using passwords has caused its
own data security crisis. Managing database security has always
been a daunting challenge and there are two age-old problems with
traditional password-based access:
Too Many Passwords - Single sign-on tools such as IBM's
Resource Access Control Facility (RACF) and Oracle single
sign-on (SSO) have been quite expensive to manage. Single
sign-on tools only work for specific types of applications (i.e.
web pages, Oracle sign-on), and comprehensive single sign-on
tools have failed miserably.
Cryptic passwords - Because individual applications desire
to make their users change passwords frequently and to use
non-obvious passwords (including numbers, at least 7 characters
long), end-users everywhere are being forced to write-down their
bypassing the security by keeping lists of passwords, Oracle
database security managers are challenged to find alternate ways to
positively identify end-users and control their access to
confidential database information.
Who Goes There?
identification of an end-user is the most critical component of any
biometrics application and there have been several areas where
external identification technology has been explored:
Iris Recognition - The human iris is as distinctive as a
fingerprint. The cameras are expensive, but the technology
is being effectively-used by US border control.
Fingerprint recognition - This is the most cost-effective
and widely-used positive recognition technology today with units
available for under $40.
Facial Recognition - Used only by governments today,
high-speed computers are used to identify individual faces from
Tongue recognition - The human tongue is unique, but the
display of the tongue proved both messy and embarrassing.
Tongue piercing and messy saliva hindered efforts to develop
an effective optical tongue reader.
Iris recognition is used by the United States Immigration
and Border Control to positively identify travelers. The
technology now offers cameras that capture a reliable iris
image from all international travelers entering the USA.
Fingerprint recognition has become inexpensive and reliable
and low-cost fingerprint readers are now available for
positive identification. The output from these devices is
interfaced with specialized software to perform proxy
invocations of Oracle database applications.
Lets take a closer look at biometrics for Oracle databases.
Fingerprint biometrics and Oracle
Fingerprint readers have been around since the
1980's when they were used by the government for access to
classified military and research areas. This fingerprint technology
was refined such that even a severed finger could not be used to
gain access and only a real, live finger would trigger system
access. Most of the fingerprint readers have a very small footprint
(less than 50 megabytes of disk), and plug-and-play with Windows XP
machines, plugging into USB devices.
Biometric fingerprint readers for Oracle allow
users to log into any system simply by the touch of a finger, and
they will not need to remember a usernames or passwords. The user
will touch the reader which will authenticate access by the
fingerprint and invoke the appropriate Oracle application and sign
them onto the Oracle database application.
Fingerprint readers for credit card authentication
has developed a paper thin fingerprint reader that has great
promise for self-authentication of credit cards and other
small devices that require security and authentication.
"The fingerprint sensor's ultra-thin
profile means it can easily be incorporated into a variety of
commonly used items. Among the applications that Seiko Epson is
targeting are self-authenticating credit cards, in which a tiny
on-card processor is used to compare the captured fingerprint
data with the user's fingerprint data stored in an embedded
A non-matching fingerprint would render the
card unusable, preventing abuse in the case of loss or theft.
This article also notes that biometric fingerprint readers are
being introduced for cell phones to prevent unauthorized calls:
"Scan your digits to lock and unlock the phone. Sweet, eh?"
Biometric fingerprint reader fraud
However, there are some
recent reports that the cheaper fingerprint readers can be
fooled with gummi bears:
"A Japanese cryptographer has
demonstrated how fingerprint recognition devices can be fooled
using a combination of low cunning, cheap kitchen supplies and a
he took latent fingerprints from a glass, which he enhanced with
a cyanoacrylate adhesive (super-glue fumes) and photographed
with a digital camera. Using PhotoShop, he improved the contrast
of the image and printed the fingerprint onto a transparency
From this he made a gelatine finger using the print on the PCB,
using the same process as before. Again this fooled fingerprint
detectors about 80 per cent of the time."
Fingerprint Access to Oracle Systems
Oracle has offered several tools and utilities
to aid in the passwords management problem, but none offer a
complete biometric solution. Let's
take a closer look at these biometrics methods as they apply to
finger print sign-on to Oracle databases:
Single Sign-On - Many tools such as Oracle Application
Server 10g (and Oracle9iAS) offer a single sign-on facility (SSO)
to allow a single place for password management, but we still
have the issue of storing the passwords and invoking the
application on behalf of the fingerprint authenticated end-user.
Oracle Biometrics Manager - Oracle8 Enterprise Manager (OEM)
offered a Biometrics Manager to allow the DBA to administer
biometric credentials (fingerprints) of Oracle database
end-users that use the Oracle Advanced Networking Option, but
this option was dropped in later releases of OEM.
Remote Authentication Dial-In User Service (RADIUS) - Oracle
biometrics environment (and "smart cards")
whereby access is controlled at the Oracle*Net level. The
RADIUS approach stored the master fingerprints, user ID and
password in either LDAP or Oracle tables. The RADIUS approach
can automatically start and sign-in end-users on Oracle
databases that are written in Oracle SQL*Forms, SQL*Reports, and
OCI or PL/SQL programs.
As we can see,
there is no Oracle generic solution is required for positive
identification of an end-user, and access to a SQL*Forms application
will be very different than an HTML-DB application. The access
method is also dependent upon the type of end-user access within the
Oracle database. Oracle offers four major types of end-user access,
and customized fingerprint interface software is required for each
type of Oracle access:
Oracle Users with direct privileges- The end-user has a user
ID within Oracle and specific privileges and roles are granted
to the end-user.
Oracle Users with Virtual Private Databases - In Oracle VPD
(a.k.a. row-level security, or RLS), the end-users queries are
constrained by dynamic "where clauses" that restrict the rows
that they may access within any table.
Oracle Users with Grant Execute privileges - In the "grant
execute" model, each user is granted access to specific
procedures and they take-on the access privileges of the
procedure owner, but only while executing the stored procedure.
External Security - Many large Oracle vendor applications
(i.e. SAP) control access via the application layer. At sign-on
time, the application signs-on the end-user to Oracle with a
generic ID and controls their data access programmatically. We
also see Oracle Application Server Single Sign-on (SSO) utility
to consolidate end-user passwords for multiple applications.
Despite the use of finger prints for
authentication, Oracle still requires passwords and these must be
stored in a secure area for the biometrics software to perform a
proxy sign-on. Most DBA's who implement finger print biometrics
will choose to use pre-written software, or write a custom interface
to the password files. The downside to pre-written biometric tools
is that they store the user ID and password on the PC, whereby a
custom solution would allow the Oracle database to store the proxy
Pre-written biometrics software
If using the Microsoft fingerprint reader, each
end-user fingerprint will be registered using the Microsoft
Registration Wizard and stored on the PC. When the user first
visits a website that requires a password, the user touches the
Fingerprint Reader with the registered finger. Then the user
enters the username and password they are given.
is saved together. The next time the user needs to access the
website, the user simply touches the fingerprint reader and they
will be automatically logged in. The user will not need to remember
or use their username and password again. This tool is perfect for
web-based Oracle applications where the invocation is done via URL,
such as Oracle HTML-DB applications.
Customized Oracle biometrics
For more sophisticated biometrics controls, an
Oracle database table is required to store the fingerprint master,
the default application to invoke, and the user ID and password:
Conclusions on Oracle Biometrics
With the inherent problems associated with
passwords Oracle security administrators are finding that Oracle
biometrics is a more secure and cost-effective solution. Oracle
biometrics system offer more secure environments and also remove the
need to dedicate a help-desk person to manage changing passwords for
hundreds of end-users.
The falling prices of biometrics hardware
(fingerprint readers for under $31) have started a movement to use
biometrics with Oracle. Most Oracle shops will use pre-written
biometrics software (Motorola
Biometrics) or they write Oracle
biometrics solutions using Oracle RADIUS or Oracle Single Sign-on.
The most robust Oracle biometrics solutions employ an API to store
the fingerprint master, user ID and password in a secure Oracle
table, and they use this table to allow the device to provide the
authentication and invoke the application on the end-users behalf.
These custom solution also have the benefit of being usable for a
variety of Oracle front-end including SQL*Forms, OCI, J2EE, Java,
HTML-DB and others.
For expert consulting on Oracle biometrics from