db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Francois Orsini (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-1740) Change error message to indicate encryptionkey length to be atleast 16 characters instead of 8 characters
Date Fri, 01 Sep 2006 09:54:24 GMT
    [ http://issues.apache.org/jira/browse/DERBY-1740?page=comments#action_12432109 ] 
            
Francois Orsini commented on DERBY-1740:
----------------------------------------


  > It seems the concepts of 'bootPassword' and 'encryptionKey' are pretty much unrelated
[in Derby]. 
  > If you create the database with a boot password, you must always boot the database
with a boot password.
  > You cannot specify a "corresponding" encryption key to boot it. The same goes for encryptionKey,
you cannot
  > boot it using a corresponding boot password.
  > Is my understanding correct?

That is correct Kristian. You use either one of them but not both at the same time - as well
as you can't use some encryption key generated out of a bootPassword as it is not made available
(not known).

  > Further, it seems code handling these two concepts are co-located in the same classes/methods,
  > and often a single error message is used for error-situations for both concepts.
  > For instance, if I create an encrypted database using the encryptionKey attribute and
try to boot it using
  > an incorrect encryptionKey, or by using the bootPassword attribute, I get:
  > ERROR XBM06: Startup failed. An encrypted database cannot be accessed without the correct
boot password.
  > Also, specifying both attributes gives the same exception/SQLState as above.

Correct - This is what the code does at the moment.

  > Thus it seems this Jira is only one of several related problems/inaccuracies related
to
  > creating/booting encrypted databases.
  > Can anyone with more knowledge comment on this?

Yes, error messaging has to be improved for some of the various scenarios you already came
accross...

The bootPassword must be of at least 8 bytes as the default cipher algorithm is DES (56 bits)...The
external encryption key (when specified instead of the bootPassword) should be of a particular
length (Hex string) depending on the cipher algorithm being specified or not (default being
DES)...Of course, the minimum for the external encryption key also has to be of 16 bytes (8x2)
(with a default cipher as DES).

Your patch looks good IMO. I would re-phrase the error message into something like:
XBCXM.S.1=The length of the external encryption key is {0}, it should be of  at least {1}.

Yes it is ok to use bytes for the bootPassword and hex string length for the (external) encryption
key as a the units.

Hope this helps a bit. There are some improvements that can be done in this area of code -
certainly some refactoring as well as better handling of encryption key length, determining
weak and semi-weak keys (other than just for DES - e.g. 3DES) ) for the various supported
crypto cipher algorithms wherever it makes sense...

You should test the patch with the database encryption test suite as well of course.


> Change error message to indicate encryptionkey length to be atleast 16 characters instead
of 8 characters
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-1740
>                 URL: http://issues.apache.org/jira/browse/DERBY-1740
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.0.2.0
>         Environment: Any
>            Reporter: Rajesh Kartha
>            Priority: Minor
>             Fix For: 10.2.1.0
>
>         Attachments: derby-1740-1a.diff
>
>
> While attempting to create a encrypted database with even key length of 14 characters,
it fails with the error message indicating the key length should be atleast 8 characters.
> --
> -- Attempt to encrypt using key of lenght 14
> --
> ij> connect 'jdbc:derby:adb;create=true;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKey=11223344556677';
> ERROR XJ041: Failed to create database 'adb', see the next exception for details.
> ERROR XBM01: Startup failed due to an exception. See next exception for details.
> ERROR XBCX2: Initializing cipher with a boot password that is too short. The password
must be at least 8 characters long.
> --
> --Requires 16 characters for the encryptionKey
> --
> ij> connect 'jdbc:derby:adb;create=true;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKey=1122334455667788';
> ij>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message