Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Date: Tue, 27 Mar 2012 13:10:41 +0000 (UTC)
From: "Knut Anders Hatlen (Commented) (JIRA)" <jira@apache.org>
To: derby-dev@db.apache.org
Message-ID: <4690873.22981.1332853841345.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <978619778.34903.1324465291861.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (DERBY-5550) Document
 derby.authentication.builtin.saltLength and
 derby.authentication.builtin.iterations
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/DERBY-5550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239420#comment-13239420 ] 

Knut Anders Hatlen commented on DERBY-5550:
-------------------------------------------

Thanks, Kim. The changes look good and complete to me. Two tiny comments:

- Maybe we should just say "difficult" instead of "extremely difficult" in the description of the saltLength property?

- In the NATIVE authentication topic, we now say: "Two related properties are derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations, which make the encrypted passwords harder for attackers to decipher."

The properties don't necessarily make it harder for attackers, for example if they are set to values lower than their defaults. So maybe change the last clause to "which may be used to ..."?

Another small issue with that sentence is that it says the passwords are encrypted in the database (that's also said some other places in the NATIVE authentication topic). The passwords are hashed, not encrypted, so we might want to change "encrypted passwords" -> "hashed passwords" and maybe also "decipher" -> "crack".
                
> Document derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations
> --------------------------------------------------------------------------------------------
>
>                 Key: DERBY-5550
>                 URL: https://issues.apache.org/jira/browse/DERBY-5550
>             Project: Derby
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 10.9.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Kim Haase
>         Attachments: DERBY-5550.diff, DERBY-5550.stat, DERBY-5550.zip
>
>
> DERBY-5539 introduced two new properties that control how BUILTIN stores credentials:
> - derby.authentication.builtin.saltLength (default: 16)
> This property specifies the number of bytes of random salt that will be added to the credentials before hashing them. (Purpose of the property: Make it infeasible to construct rainbow tables.)
> - derby.authentication.builtin.iterations (default: 1000, minimum: 1)
> This property specifies the number of times to apply the hash function (which is specified by derby.authentication.builtin.algorithm) on the credentials. (Purpose of the property: Slow down attackers as they'll need to spend more time calculating hashes.)
> Both the properties have effect only if BUILTIN authentication is enabled and derby.authentication.builtin.algorithm has a non-null value.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira