Does Oracle JDBC client encrypt password when connecting?

Password is always encrypted during transit through the network.

This does not mean that the attack is impenetrable. If an attacker can obtain a hash of the user's password and he can control the network traffic between the legitimate client and the database, then you can get the password in plain text.

For the curious, here is a brief description of the authentication process in various versions of Oracle database software. Steps regarding the transit of an encrypted password are shown in bold . It is not completely intuitive which version of the authentication protocol is used by the JDBC driver because it does not always match its advertised version. This is because the client can discuss which protocol he wants to use. For example, the JDBC 11g driver may not necessarily use the 11g authentication protocol when connecting to the 11g database (it may return to the 10g authentication protocol). I forget which drivers use the protocols.

Authentication Protocol in Oracle Database 8

• The client requests a server session key for a specific user.
• The server generates a server session key.
• The server encrypts the server session key using the requested user password hash as a secret key.
• The server passes the session key of the encrypted server to the client.
• The client decrypts the encrypted server session key using the user password hash as the secret key.
• The client encrypts the user password using the server session key as the secret key. (proprietary algorithm based on DES)
• The client sends the encrypted password to the server.
• The server decrypts the encrypted password using the server session key as the secret key.
• The server calculates the hash of the decrypted password.
• If the calculated password hash (from step 9) matches the copy stored on the server, the user provided the correct password.

Authentication Protocol in Oracle Database 9i

• The client requests a server session key for a specific user.
• The server generates a server session key.
• The server encrypts the server session key using the requested user password hash as a secret key.
• The server passes the session key of the encrypted server to the client.
• The client decrypts the encrypted server session key using the user password hash as the secret key.
• The client encrypts the user password using the server session key as the secret key. (proprietary algorithm based on DES)
• The client sends the encrypted password to the server.
• The server decrypts the encrypted password using the server session key as the secret key.
• The server calculates the hash of the decrypted password.
• If the calculated password hash (from step 9) matches the copy stored on the server, the user provided the correct password.

Authentication Protocol in Oracle Database 10g

• The client requests a session key from the server, indicating which user it wants to connect as.
• The server generates a server session key.
• The server encrypts the server session key using the requested user password hash as a secret key.
• The server passes the session key of the encrypted server to the client.
• The client decrypts the session key of the encrypted server using the requested user password hash as the secret key.
• The client creates a client session key.
• The client combines the client session key with the server session key.
• The client generates a user password.
• The client encrypts the user password using the combined session keys (starting from step 7) as a secret key. (AES-128)
• The client encrypts the client session key using the user password hash as the secret key.
• The client sends the encrypted client session key and the encrypted, salty user password to the server.
• The server decrypts the encrypted client session key using the requested user password hash.
• The server combines the client session key with the server session key.
• The server decrypts the encrypted, salty password using the combined session keys (from step 13) as the secret key.
• Server does not salt salt password.
• The server hashes the decrypted password.
• The server compares the hash with the calculated password (from step 16) with the stored password hash. If they are equal, the user provided the correct password.

Authentication Protocol in Oracle Database 11g

• The client requests a session key from the server, indicating which user it wants to connect as.
• The server generates a server session key.
• The server generates verifier data.
• The server encrypts the server session key using the requested user password hash as a secret key.
• The server transmits the encrypted server session key ("AUTH_SESSKEY") and the verifier data ("AUTH_VFR_DATA") to the client.
• The client hashes the user password using the verifier data as a salt.
• The client decrypts the encrypted server session key using the user password hash as the secret key.
• The client creates a client session key.
• The client combines the client session key with the server session key.
• The client generates a user password.
• The client encrypts the user password using the combined session keys (from step 9) as its secret key. (AES-192)
• The client encrypts the client session key using the user password hash as the secret key.
• The client sends the encrypted client session key and the encrypted, salty user password to the server.
• The server decrypts the encrypted client session key using the requested user password hash.
• The server combines the client session key with the server session key.
• The server decrypts the encrypted, salty password using the combined session keys (from step 15) as the secret key.
• Server does not salt salt password.
• The server hashes the decrypted password.
• The server compares the calculated password hash (from step 18) with the stored password hash. If they are equal, the user provided the correct password.