db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-962) Upgrade default security mechanism in client to use encrypted userid password if client can support it.
Date Sat, 18 Mar 2006 04:02:19 GMT
    [ http://issues.apache.org/jira/browse/DERBY-962?page=comments#action_12370931 ] 

Kathey Marsden commented on DERBY-962:
--------------------------------------

Hi Sunitha,

Looking at your diff I understand why the first @see was taken out because it was not in a
javadoc comment,
but these two were less clear to me.

It seems like it would be good instead to keep the @see but use the 
@see  #method(Type argname, Type argname,...) format for these two:

@@ -807,7 +807,7 @@
      * return the security mechanism 
      * if security mechanism has not been set explicitly on datasource
      * then upgrade the security mechanism to a more secure one if possible
-     * @see #getUpgradedSecurityMechanism()
+     * See getUpgradedSecurityMechanism()
      * @return the security mechanism
      */
     public short getSecurityMechanism() {
@@ -819,7 +819,7 @@
      * if security mechanism has not been set explicitly on datasource
      * then upgrade the security mechanism to a more secure one if possible
      * @param password  password of user
-     * @see #getUpgradedSecurityMechanism()
+     * See getUpgradedSecurityMechanism()
      * @return the security mechanism
      */
     public short getSecurityMechanism(String password) {

> Upgrade default security mechanism in client to use encrypted userid password if client
can support it.
> -------------------------------------------------------------------------------------------------------
>
>          Key: DERBY-962
>          URL: http://issues.apache.org/jira/browse/DERBY-962
>      Project: Derby
>         Type: Improvement
>   Components: Network Client
>     Reporter: Sunitha Kambhampati
>     Assignee: Sunitha Kambhampati
>      Fix For: 10.2.0.0
>  Attachments: 962_table.txt, Derby962.diff.txt, Derby962.stat.txt, Derby962_forreview.diff.txt,
Derby962_forreview.stat.txt, d962_javadoc.diff.txt
>
> Currently in the client, if userid and password are set in the connection url, the default
security mechanism is upgraded to USRIDPWD (which is clear text userid and password).  This
seems to be a security hole here. 
> Current client  driver supports encrypted userid/password (EUSRIDPWD) via the use of
DH key-agreement protocol - however current Open Group DRDA specifications imposes small prime
and base generator values (256 bits) that prevents other JCE's  (apt from ibm jce) to be used
as java cryptography providers.  
> Some thoughts:
> -- client can make a check to see if it the jvm it is running in supports the encryption
necessary for EUSRIDPWD. If it supports, then the client can upgrade to EUSRIDPWD. 
> -- if the jvm the client is running is , doesnt support encryption requirements for EUSRIDPWD,
then the security mechanism will be set to USRIDPWD.
> -- DERBY-528 will add support for strong userid and password which is another option
to send encrypted passwords across the wire. When this gets added, maybe this can be considered
as one of the upgrade options after EUSRIDPWD. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message