This Article explains about Peoplesoft Encryption technology.
Before explaining , let me discuss about some terms related to Encryption.
One Way Encryption/Decryption: - Means once you encrypt any password , you can never be decrypted (Even Oracle/Peoplesoft cannot do this)
Two Way Encryption/Decryption: - Means you can decrypt the encrypted password when it is really required.
Peoplesoft is really Chosen the best technology for thier own security .Now i will explain the technology used by peoplesoft in our login process. As this is most important part, hope you will enjoy it!!!!!
Encryption 1: SHA 1algorithm
If you look at the OPERPSWD field in PSOPRDEFN table, it will be in encrypted format and this is using SHA 1 which is one way encryption technology which can never be decrypted.
So here is the question why peoplesoft chose one way?
The secret behind this is, whenever the login process happens the password you provided can again encrypt using the same technology and compare against your PSOPRDEFN table. So no one can decrypt the password, as this is the most important security table.
And if you look at the encrypted field in PSOPRDEFN table there will be 1/0.
Why we need this?
Suppose you are updating the password from backend, then you should update the encrypted field as zero. If not ENCRYPT_PASSWORD function will consider this password is already encrypted.
So simply ENCRYPT_PASSWORD will check the encrypted field , if it is zero it will encrypt otherwise vice versa.
So use this function only to encrypt psoprdefn table encryption
Encryption 2: - 3 DES Algorithm.
This algorithm is purely developed by peoplesoft in 2 way communication, which means you can decrypt the password to clear text.
So why we need to decrypt and why different algorithm?
If you look at the above snapshot both access id and access password is encrypted. So in my previous post i said ultimately PeopleSoft will login with Access id/Password. So oracle never understand the encrypted format. we need to store ACCESS ID/PWD in encrypted format as well as at the run time we need to decrypt it. So it will login to oracle database with clear text. Thats why we are using 2 way algorithm
If you look at the snippet in the trace(highlighted in red) you will find the SYSADM user , so here we can prove that decryption is happening.
1-14 21.08.47 0.014000 Cur#0.1072.notSamTran RC=0 Dur=0.014000 Destroy Connection Handle=0000000002A80C50
1-15 21.08.47 0.043000 Cur#0.1072.FSCMD92 RC=0 Dur=0.043000 Create Connection Info=Primary/FSCMD92/SYSADM/ Handle=0000000002A80C50
Peoplesoft embeds both encrypt/decrypt in thier tools like APP-D, Data Mover ..etc.
Thats why we don't need to exclusively run any command like ENCRYPT_PASSWORD as we did in above algorithm.
Hint:Just update the password in PSACCESSPRFL make encrypted as zero then try to login via APP-D or Data mover, Peoplesoft will automatically encrypts and updates the encrypted field as 1.
Encryption 3:- Java based encryption.
This encryption is bit different, and this will happen only at the web server level. If we need to boot webserver,then PTWEBSERVER credentials is mandatory. But Peoplesoft never stores any password in clear text any where. So it should be encrypted with some algorithm and decrypt using the same. So they decided to use java based.
But why we need java based ?
So here is the reason behind it, peoplesoft does not have its own weblogic server , so we need to use Oracle Weblogic and this is java based and it never understands 3DES algorithm which is developed by peoplesoft(2 way communication) also we cannot use SHA1, because it is one way communication. So they have written a java based encryption so that it will be in encrypted format and at the run time it will decrypt using decrypt function.
So we used to use pscipher.bat utility to encrypt the password
Can we decrypt any one of the above password ?
Encryption 1:- No ..As i said earlier if encryption is 1 way even Oracle/Peoplesoft does not have decrypt function. So you can't, only try you can give is brute force attack.
Encryption 2: - Yes , Our Application designer and datamover is designed in C++ code, so if get the source code for the app-d or data mover , we can find the decrypt function and hit that function. Its not that easy.
Encryption 3:- Yes - This is a java based utility you can open the pscipher.bat
and get the java class as stated above names as PSCIPHER and decompile it and take a look, you will find a decrypt function. So pscipher.bat file is calling only encrypt function in java class, you can try and call decrypt function then you can made psdecipher.bat file (if you are java expert).
Now you are done!!!!
Happy to help!!!!!!
Before explaining , let me discuss about some terms related to Encryption.
One Way Encryption/Decryption: - Means once you encrypt any password , you can never be decrypted (Even Oracle/Peoplesoft cannot do this)
Two Way Encryption/Decryption: - Means you can decrypt the encrypted password when it is really required.
Peoplesoft is really Chosen the best technology for thier own security .Now i will explain the technology used by peoplesoft in our login process. As this is most important part, hope you will enjoy it!!!!!
Encryption 1: SHA 1algorithm
If you look at the OPERPSWD field in PSOPRDEFN table, it will be in encrypted format and this is using SHA 1 which is one way encryption technology which can never be decrypted.
So here is the question why peoplesoft chose one way?
The secret behind this is, whenever the login process happens the password you provided can again encrypt using the same technology and compare against your PSOPRDEFN table. So no one can decrypt the password, as this is the most important security table.
And if you look at the encrypted field in PSOPRDEFN table there will be 1/0.
Why we need this?
Suppose you are updating the password from backend, then you should update the encrypted field as zero. If not ENCRYPT_PASSWORD function will consider this password is already encrypted.
So simply ENCRYPT_PASSWORD will check the encrypted field , if it is zero it will encrypt otherwise vice versa.
So use this function only to encrypt psoprdefn table encryption
Encryption 2: - 3 DES Algorithm.
This algorithm is purely developed by peoplesoft in 2 way communication, which means you can decrypt the password to clear text.
So why we need to decrypt and why different algorithm?
If you look at the above snapshot both access id and access password is encrypted. So in my previous post i said ultimately PeopleSoft will login with Access id/Password. So oracle never understand the encrypted format. we need to store ACCESS ID/PWD in encrypted format as well as at the run time we need to decrypt it. So it will login to oracle database with clear text. Thats why we are using 2 way algorithm
If you look at the snippet in the trace(highlighted in red) you will find the SYSADM user , so here we can prove that decryption is happening.
1-14 21.08.47 0.014000 Cur#0.1072.notSamTran RC=0 Dur=0.014000 Destroy Connection Handle=0000000002A80C50
1-15 21.08.47 0.043000 Cur#0.1072.FSCMD92 RC=0 Dur=0.043000 Create Connection Info=Primary/FSCMD92/SYSADM/ Handle=0000000002A80C50
Peoplesoft embeds both encrypt/decrypt in thier tools like APP-D, Data Mover ..etc.
Thats why we don't need to exclusively run any command like ENCRYPT_PASSWORD as we did in above algorithm.
Hint:Just update the password in PSACCESSPRFL make encrypted as zero then try to login via APP-D or Data mover, Peoplesoft will automatically encrypts and updates the encrypted field as 1.
Encryption 3:- Java based encryption.
This encryption is bit different, and this will happen only at the web server level. If we need to boot webserver,then PTWEBSERVER credentials is mandatory. But Peoplesoft never stores any password in clear text any where. So it should be encrypted with some algorithm and decrypt using the same. So they decided to use java based.
So here is the reason behind it, peoplesoft does not have its own weblogic server , so we need to use Oracle Weblogic and this is java based and it never understands 3DES algorithm which is developed by peoplesoft(2 way communication) also we cannot use SHA1, because it is one way communication. So they have written a java based encryption so that it will be in encrypted format and at the run time it will decrypt using decrypt function.
So we used to use pscipher.bat utility to encrypt the password
Can we decrypt any one of the above password ?
Encryption 1:- No ..As i said earlier if encryption is 1 way even Oracle/Peoplesoft does not have decrypt function. So you can't, only try you can give is brute force attack.
Encryption 2: - Yes , Our Application designer and datamover is designed in C++ code, so if get the source code for the app-d or data mover , we can find the decrypt function and hit that function. Its not that easy.
Encryption 3:- Yes - This is a java based utility you can open the pscipher.bat
and get the java class as stated above names as PSCIPHER and decompile it and take a look, you will find a decrypt function. So pscipher.bat file is calling only encrypt function in java class, you can try and call decrypt function then you can made psdecipher.bat file (if you are java expert).
Now you are done!!!!
Happy to help!!!!!!
