db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2133) Detect tampering of installed jar files in an encrypted database
Date Thu, 30 Nov 2006 22:02:21 GMT
    [ http://issues.apache.org/jira/browse/DERBY-2133?page=comments#action_12454760 ] 
            
Daniel John Debrunner commented on DERBY-2133:
----------------------------------------------

Doh, looked at the wrong section for J2ME/CDC/foundation, MessageDigest is supported so a
single approach of always using an MD5 checksum is probably the best.

> Detect tampering of installed jar files in an encrypted database
> ----------------------------------------------------------------
>
>                 Key: DERBY-2133
>                 URL: http://issues.apache.org/jira/browse/DERBY-2133
>             Project: Derby
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Daniel John Debrunner
>
> Since the jar files (from sqlj.install_jar) are stored unencrypted in an encrypted database
a secuirty hole exists where the jar can be replaced by malicious code.
> One way to detect this would be to store an MD5 checksum of the jar's contents in the
SYSFILES table (as a new column) and to match this checksum with the jar file when opening
it. This only makes sense for encrypted databases, as if a cracker can hack the jar file in
an unencrypted database they can also fix up the checksum. Also adding this checksum on a
unencrypted database would require some alternate scheme for J2ME/CDC/Foundation which (I
think) does not support MD5 checksums.
> th eother option of encrypting the jar seems less appealing as it will increase the complexity
of loading classes and move away from using the standard URLClassLoader.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message