db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5622) Reduce the chance for hash collisions when checking bootPassword at boot time and when changing password.
Date Tue, 03 Jul 2012 13:11:22 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13405903#comment-13405903
] 

Dag H. Wanvik commented on DERBY-5622:
--------------------------------------

I looked at the patch and verified that the second line of defense here kicks in if the first
one is disabled as in your instrumented patch version.
Patch looks good, +1 .

Nits: some too long lines. One new line has a TAB: { throw StandardException.newException(SQLState.WRONG_BOOT_PASSWORD);
}
On that note, I'd prefer a newline after the "{" starting the explicit block.
                
> Reduce the chance for hash collisions when checking bootPassword at boot time and when
changing password.
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-5622
>                 URL: https://issues.apache.org/jira/browse/DERBY-5622
>             Project: Derby
>          Issue Type: Improvement
>          Components: Store
>            Reporter: Dag H. Wanvik
>         Attachments: derby-5622-01-aa-decryptEncryptedSample.diff, derby-5622-TT-fixWithTestScaffolding.diff,
derby-5622-instrumentation.diff, derby-5622-repro.sql, repro.sh
>
>
> There are two issues, already seen in DERBY-2687:
>    "the boot issue": there is a 1/2**16 chance that a wrong bootPassword will allow boot
to proceed (but since its decoded key is wrong the boot will fail).
>    "the password change" issue: similarly, there is a chance that the wrong bootPassword
will be accepted trying to change it via 
>     SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('bootPassword', ...) at least for algorithms
that do not check IV (initialization vector) in addition to the
>     digest, e.g. "DES/ECB/NoPadding"
> The latter case may lead to data corruption, cf. DERBY-2687 discussion. I think the risk
is fairly low, though: One would need to have execution permission to change the property
if SQL authorization is used, and in most scenarios the supplied existing password would be
correct. But since the results can be bad, it would be good to reduce or eliminate the risk.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message