Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Message-ID: <1461342821.1142405384171.JavaMail.jira@ajax>
Date: Wed, 15 Mar 2006 06:49:44 +0000 (GMT)
From: "Sunitha Kambhampati (JIRA)" <derby-dev@db.apache.org>
To: derby-dev@db.apache.org
Subject: [jira] Updated: (DERBY-962) Upgrade default security mechanism in
 client to use encrypted userid password if client can support it.
In-Reply-To: <469698423.1139824338308.JavaMail.jira@ajax.apache.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

     [ http://issues.apache.org/jira/browse/DERBY-962?page=all ]

Sunitha Kambhampati updated DERBY-962:
--------------------------------------

    Attachment: Derby962.diff.txt
                Derby962.stat.txt

This issue was blocked by derby-1080.  Now that 1080 is committed, I have regenerated the patch for 962 and am attaching Derby962.diff.txt and Derby962.stat.txt.    

The changes in this patch are the same as compared to the changes in Derby962_forreview.txt that were specific to derby 962,  except for the following:
-- I have added the table that was in  962_table.txt into the test code  per Kathey's comments and also added some comments from the jira to the test code. 

I ran derbynetclientmats and derbynetmats ok on linux/ibm142 with the known failures in Surtest.    I ran testSecMec on windows with JCC2.4, JCC2.6 and derbyclient on ibm and sun jvms , versions 131,141,142,15 ok. 

derbyall is still running. I will post results here as they finish. 

Can someone please review this change. Thanks. 

> Upgrade default security mechanism in client to use encrypted userid password if client can support it.
> -------------------------------------------------------------------------------------------------------
>
>          Key: DERBY-962
>          URL: http://issues.apache.org/jira/browse/DERBY-962
>      Project: Derby
>         Type: Improvement
>   Components: Network Client
>     Reporter: Sunitha Kambhampati
>     Assignee: Sunitha Kambhampati
>      Fix For: 10.2.0.0
>  Attachments: 962_table.txt, Derby962.diff.txt, Derby962.stat.txt, Derby962_forreview.diff.txt, Derby962_forreview.stat.txt
>
> Currently in the client, if userid and password are set in the connection url, the default security mechanism is upgraded to USRIDPWD (which is clear text userid and password).  This seems to be a security hole here. 
> Current client  driver supports encrypted userid/password (EUSRIDPWD) via the use of DH key-agreement protocol - however current Open Group DRDA specifications imposes small prime and base generator values (256 bits) that prevents other JCE's  (apt from ibm jce) to be used as java cryptography providers.  
> Some thoughts:
> -- client can make a check to see if it the jvm it is running in supports the encryption necessary for EUSRIDPWD. If it supports, then the client can upgrade to EUSRIDPWD. 
> -- if the jvm the client is running is , doesnt support encryption requirements for EUSRIDPWD, then the security mechanism will be set to USRIDPWD.
> -- DERBY-528 will add support for strong userid and password which is another option to send encrypted passwords across the wire. When this gets added, maybe this can be considered as one of the upgrade options after EUSRIDPWD. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira