Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 15898 invoked from network); 8 Jun 2010 13:33:32 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 8 Jun 2010 13:33:32 -0000 Received: (qmail 50431 invoked by uid 500); 8 Jun 2010 13:33:32 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 50411 invoked by uid 500); 8 Jun 2010 13:33:32 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 50404 invoked by uid 99); 8 Jun 2010 13:33:32 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jun 2010 13:33:32 +0000 X-ASF-Spam-Status: No, hits=-1505.7 required=10.0 tests=ALL_TRUSTED,AWL X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jun 2010 13:33:31 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o58DXBr0029799 for ; Tue, 8 Jun 2010 13:33:11 GMT Message-ID: <12529441.25551276003991297.JavaMail.jira@thor> Date: Tue, 8 Jun 2010 09:33:11 -0400 (EDT) From: "Rick Hillegas (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-4483) Provide a way to change the hash algorithm used by BUILTIN authentication In-Reply-To: <526285707.1261139298094.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rick Hillegas updated DERBY-4483: --------------------------------- Description: The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1 algorithm. It would be nice to have way to specify a different algorithm so that users can take advantage of new, stronger algorithms provided by their JCE provider if so desired. This issue tracks our response to a security vulnerability, which Marcell Major identified. See http://marcellmajor.com/derbyhash.html was:The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1 algorithm. It would be nice to have way to specify a different algorithm so that users can take advantage of new, stronger algorithms provided by their JCE provider if so desired. > Provide a way to change the hash algorithm used by BUILTIN authentication > ------------------------------------------------------------------------- > > Key: DERBY-4483 > URL: https://issues.apache.org/jira/browse/DERBY-4483 > Project: Derby > Issue Type: Improvement > Components: Services > Affects Versions: 10.5.3.0 > Reporter: Knut Anders Hatlen > Assignee: Knut Anders Hatlen > Priority: Minor > Fix For: 10.6.1.0 > > Attachments: comments.diff, derby-4483-1a.diff, derby-4483-1a.stat, derby-4483-2a.diff, derby-4483-2a.stat, errormsg.diff, experiment.diff, releaseNote.html, releaseNote.html, toHexByte.diff, upgrade-test.diff > > > The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1 algorithm. It would be nice to have way to specify a different algorithm so that users can take advantage of new, stronger algorithms provided by their JCE provider if so desired. > This issue tracks our response to a security vulnerability, which Marcell Major identified. See http://marcellmajor.com/derbyhash.html -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.