Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 6783 invoked from network); 1 Sep 2006 09:57:48 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Sep 2006 09:57:48 -0000 Received: (qmail 58726 invoked by uid 500); 1 Sep 2006 09:57:48 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 58507 invoked by uid 500); 1 Sep 2006 09:57:47 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 58498 invoked by uid 99); 1 Sep 2006 09:57:47 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Sep 2006 02:57:47 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.198] (HELO brutus.apache.org) (209.237.227.198) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Sep 2006 02:57:46 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id BDAFD410023 for ; Fri, 1 Sep 2006 09:54:24 +0000 (GMT) Message-ID: <11827888.1157104464773.JavaMail.jira@brutus> Date: Fri, 1 Sep 2006 02:54:24 -0700 (PDT) From: "Francois Orsini (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Commented: (DERBY-1740) Change error message to indicate encryptionkey length to be atleast 16 characters instead of 8 characters In-Reply-To: <30131981.1156194673819.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DERBY-1740?page=comments#action_12432109 ] Francois Orsini commented on DERBY-1740: ---------------------------------------- > It seems the concepts of 'bootPassword' and 'encryptionKey' are pretty much unrelated [in Derby]. > If you create the database with a boot password, you must always boot the database with a boot password. > You cannot specify a "corresponding" encryption key to boot it. The same goes for encryptionKey, you cannot > boot it using a corresponding boot password. > Is my understanding correct? That is correct Kristian. You use either one of them but not both at the same time - as well as you can't use some encryption key generated out of a bootPassword as it is not made available (not known). > Further, it seems code handling these two concepts are co-located in the same classes/methods, > and often a single error message is used for error-situations for both concepts. > For instance, if I create an encrypted database using the encryptionKey attribute and try to boot it using > an incorrect encryptionKey, or by using the bootPassword attribute, I get: > ERROR XBM06: Startup failed. An encrypted database cannot be accessed without the correct boot password. > Also, specifying both attributes gives the same exception/SQLState as above. Correct - This is what the code does at the moment. > Thus it seems this Jira is only one of several related problems/inaccuracies related to > creating/booting encrypted databases. > Can anyone with more knowledge comment on this? Yes, error messaging has to be improved for some of the various scenarios you already came accross... The bootPassword must be of at least 8 bytes as the default cipher algorithm is DES (56 bits)...The external encryption key (when specified instead of the bootPassword) should be of a particular length (Hex string) depending on the cipher algorithm being specified or not (default being DES)...Of course, the minimum for the external encryption key also has to be of 16 bytes (8x2) (with a default cipher as DES). Your patch looks good IMO. I would re-phrase the error message into something like: XBCXM.S.1=The length of the external encryption key is {0}, it should be of at least {1}. Yes it is ok to use bytes for the bootPassword and hex string length for the (external) encryption key as a the units. Hope this helps a bit. There are some improvements that can be done in this area of code - certainly some refactoring as well as better handling of encryption key length, determining weak and semi-weak keys (other than just for DES - e.g. 3DES) ) for the various supported crypto cipher algorithms wherever it makes sense... You should test the patch with the database encryption test suite as well of course. > Change error message to indicate encryptionkey length to be atleast 16 characters instead of 8 characters > --------------------------------------------------------------------------------------------------------- > > Key: DERBY-1740 > URL: http://issues.apache.org/jira/browse/DERBY-1740 > Project: Derby > Issue Type: Bug > Affects Versions: 10.0.2.0 > Environment: Any > Reporter: Rajesh Kartha > Priority: Minor > Fix For: 10.2.1.0 > > Attachments: derby-1740-1a.diff > > > While attempting to create a encrypted database with even key length of 14 characters, it fails with the error message indicating the key length should be atleast 8 characters. > -- > -- Attempt to encrypt using key of lenght 14 > -- > ij> connect 'jdbc:derby:adb;create=true;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKey=11223344556677'; > ERROR XJ041: Failed to create database 'adb', see the next exception for details. > ERROR XBM01: Startup failed due to an exception. See next exception for details. > ERROR XBCX2: Initializing cipher with a boot password that is too short. The password must be at least 8 characters long. > -- > --Requires 16 characters for the encryptionKey > -- > ij> connect 'jdbc:derby:adb;create=true;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKey=1122334455667788'; > ij> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira