Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 54123 invoked from network); 13 Feb 2006 09:52:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Feb 2006 09:52:43 -0000 Received: (qmail 72272 invoked by uid 500); 13 Feb 2006 09:52:42 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 72031 invoked by uid 500); 13 Feb 2006 09:52:41 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 72021 invoked by uid 99); 13 Feb 2006 09:52:41 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 01:52:39 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id 4BEF7DE for ; Mon, 13 Feb 2006 10:52:18 +0100 (CET) Message-ID: <469698423.1139824338308.JavaMail.jira@ajax.apache.org> Date: Mon, 13 Feb 2006 10:52:18 +0100 (CET) From: "Sunitha Kambhampati (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Created: (DERBY-962) Upgrade default security mechanism in client to use encrypted userid password if client can support it. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Upgrade default security mechanism in client to use encrypted userid password if client can support it. ------------------------------------------------------------------------------------------------------- Key: DERBY-962 URL: http://issues.apache.org/jira/browse/DERBY-962 Project: Derby Type: Improvement Components: Network Client Reporter: Sunitha Kambhampati Fix For: 10.2.0.0 Currently in the client, if userid and password are set in the connection url, the default security mechanism is upgraded to USRIDPWD (which is clear text userid and password). This seems to be a security hole here. Current client driver supports encrypted userid/password (EUSRIDPWD) via the use of DH key-agreement protocol - however current Open Group DRDA specifications imposes small prime and base generator values (256 bits) that prevents other JCE's (apt from ibm jce) to be used as java cryptography providers. Some thoughts: -- client can make a check to see if it the jvm it is running in supports the encryption necessary for EUSRIDPWD. If it supports, then the client can upgrade to EUSRIDPWD. -- if the jvm the client is running is , doesnt support encryption requirements for EUSRIDPWD, then the security mechanism will be set to USRIDPWD. -- DERBY-528 will add support for strong userid and password which is another option to send encrypted passwords across the wire. When this gets added, maybe this can be considered as one of the upgrade options after EUSRIDPWD. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira