A Dynamic Authenticator for Oracle Databases
Developed in Rust, October 2020
In this article, I will describe the Dynamic Authenticator for Oracle databases (Dynamic Authenticator for short), a personal application that I developed using the Rust programming language. The application aims to provide multifactor and passwordless authentication to database administrators (DBAs) and power users using the Oracle database. I should noted that this application is not open source software but a personal project that I made to encourage the use of new technologies at my workplace while highlighting the power of the Rust programming language.
Authentication in Oracle Databases
Traditionally, the Oracle database have provided several methods to externalize operations for authentication and authorization, ranging from LDAP, Kerberos, SSL certificates to Radius authentication, being this last one the most practical to implement due to having an option to prompt users for additional credentials via a challenge interface.
The enablement of Radius authentication in the Oracle database allows communication via Radius protocol with an external system for the purpose of handling authentication and authorization operations.
Radius Authentication
Database authentication under Radius can happen in two ways, synchronous and asynchronous (aka challenge-response). In synchronous mode, a user enters a combination of username and password or passcode (e.g. PIN plus a dynamic number) in the client system, which sends the data to the database server, then the server acting as a Radius client passes the data to an external system for validation. Upon sucessful validation, the external system sends back a confirmation message to the database server which in turn instructs the client system to allows the user to access the database.
In asynchronous mode, a challenge interface prompts the user to enter its username and password in the client system, which sends the data to the database server, then the server acting as a Radius client passes the data to an external system for validation. The external system validates the credentials and sends back a challenge message to the database server which in turn instructs the client system to prompt the user for a challenge (e.g. enter an OTP code). Then, the client system sends the challenge response to the database server which then passes it to the external system for validation. Upon sucessful validation, the external system sends back a confirmation message to the database server which in turn instructs the client system to allows the user to access the database.
Based in the above, the main difference between the two modes is the challenge interface which can be customize to work with multiple authentication factors like smart cards, tokens or security keys. The idea is that third-party vendors can build solutions to aument the login process with multifactor authentication (MFA).
The Evolution of Multifactor Authentication (MFA)
At the begining user authentication was based on “something you know” like a username and password taking part in the login process to access protected resources and applications, then authentication systems added “something you have” like a phone or smart card. Later, as technology progressed “something you are” like a fingerprint or facial recognition was added to the verification process. In today’s highly secure environments we can combine MFA with context-aware information like location, time, risk scores and devices, just to name a few, participating in the authentication process.
Although MFA methods add an extra layer of security, those based on SMS or email notifications aren’t foolproof, techniques like exploitation through social engineering, phishing, man-in-the-middle or replay attacks have proven to be sucessful, making MFA not nearly as effective.
However, new standards like WebAuthn and FIDO2 have given birth to a new category of stronger MFA, one that overcomes the issues associated with traditional MFA methods. FIDO2 eliminates the risks of phishing and all forms of password theft and replay attacks by not sharing cryptographic credentials. In adition, biometric data when used never leaves the user’s device, and because cryptographic keys are unique across every website they cannot be used to track users. Moreover, FIDO2 combines WebAuthn and CTAP to provide a simple interface (JavaScript API) that is supported across all browsers and platforms.
The Rust Programming Language
Rust is an open-source systems programming language that was orginaly designed by Mozilla Research. It’s focused on safety and performance and is an ideal language for embedded and bare-metal development. Furthermore, Rust also happens to solve the challenges associated with dynamic types, garbage collection and memory safety present in many other programming languages making it a solid contender for current software development.
The Rust ecosystem is quite large with production-quality software and first-class citizens, in addition to built-in tools. However, Rust strong type system and emphasis on memory safety make the learning curve difficult but once you pass that level, developers usually fall in love according to Stack Overflow Developer Survey Results, “For the fourth year in a row, Rust is the most loved programming language”.
Being a relatively new language, Rust is not only well suited to create powerful cross-platform tools but also to build distributed online services and powerful web applications.
A Practical Design to Implement MFA in Oracle Databases
The Dynamic Authenticator is a simple but versatile solution for Oracle databases to enable multifactor authentication and externalize user authorization with identity providers.
Once a database server is setup for Radius authentication, login operations can be handle in synchronous or asynchronouse mode, the Dynamic Authenticator leverages the asynhcronous mode to provide a custom challenge interface that is not just faster than the build-in interface but also destined to offer strong MFA capabilities, supporting Yubico OTP, DUO Security, FIDO2 devices and Oracle Mobile Authenticator. Besides, the Dynamic Authenticator complements the Radius authentication with a secure TLS channel to protect challenge responses with the user’s client system.
Figure 1 depicts the overall architecture with the Dynamic Authenticator being in charge of authentication and authorization operations.
In addition to validate credentials and perform MFA during the authentication process, the Dynamic Authenticator can also execute authorization operations at the database level by looking at predefined role mappings on user’s group memberships. Group-Roles mappings (Figure 2) is a feature in the Dynamic Authenticator that can be enabled with all supported identity providers, including Azure AD, Oracle IDCS, LDAP, Active Directory and Oracle Access Manager.
Diving into the internals, the Dynamic Authenticator is built as a statically linked binary in Rust which does not requires special installation or external libraries and being a compact exectubale can be easily distributed to a target server. Asynchronous tasks are handled via Tokio, a Rust library for event-driven, non-blocking I/O operations while persistent data is stored in Rockdb, a high performance embedded database for key-value data. Actix Web and Webauthn-rs are powerful Rust libraries use to facilitate authentication operations via WebAuthn and FIDO2 standards, and Tonic is a gRPC library use for handling client-server communications.
In terms of scalability, the Dynamic Authenticator use Rust direct access to system’s functionality to allows multiple threads bind to the same port to achieve significant throughput and low latency when processing network packets. Additionally, multiple instances can be deployed as a cluster to support a large user base. The Dynamic Authenticator also has a built-in command line interface (CLI) to facilitate startup and shutdown operations, change monitoring levels and manage lifecycle of runtime data.
Figure 2 depicts the Group-Roles mapping feature in the Dynamic Authenticator.
The main features in the Dynamic Authenticator can be summarized as follow:
- Support most Oracle database versions 11g thru 19c
- Support multiple databases per Dynamic Authenticator
- Standard MFA support: OAM OTP, Yubico OTP, FIDO2 and DUO
- Support Passwordless Authentication, Microsoft’s Windows Hello and Apple’s Touch ID
- Integration with Active Directory, LDAP, Oracle Access Manager, Oracle Identity Cloud Service and Azure AD
- Support One-to-One or One-to-Many group/DB role mappings
- Ephemeral role assignment (valid during session lifetime)
- Built-in command line interface
Taking a Quick Tour Around the Dynamic Authenticator
The Dynamic Authenticator supports Yubico devices, so DBAs and power users can use a Yubikey to authenticate with their databases by generating a Yubico OTP each time they are prompted for a challenge. The Dynamic Authenticator validates OTPs against Yubico servers thru a secure channel before a user can access an authorized database.
Figure 3 depicts the challenge-response flow during authentication to an Oracle database.
Similarly, the Dynamic Authenticator can enforce the use of FIDO2 devices during the login process and when combined with the resident keys feature support passwordless authentication.
Figure 4 depicts the use of Microsoft’s Windows Hello to authenticate using biometrics such as fingerprint recognition.
Upon successful authentication with a FIDO2 device, a user can access an authorized database as depicted in Figure 5.
Conclusion
As organizations grow adopting hybrid and multicloud environments to add new business capabilities, security become complex. Finding ways to better protect data is key on preventing cyberattacks and MFA is by far one of the best ways to secure access to applications and resources; after all “any MFA is better than no MFA”.
About the Author
Ricardo Gutierrez is a Lead Security Architect at Oracle with more than 12 years in identity and access management, experience in cloud infrastructure, database, application security and enterprise application integration. In his spare time, Ricardo does research and software development using new technologies and is the creator of the E-Business Suite Asserter (EBS Asserter), a component for SSO bundle with Oracle Identity Cloud Service and the Dynamic Authenticator, an MFA solution for Oracle databases.
