db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kim Haase (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-4229) encryptionKeyLength connection attribute should be documented
Date Thu, 27 Sep 2012 18:49:08 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13464973#comment-13464973
] 

Kim Haase commented on DERBY-4229:
----------------------------------

Hm. If I specify encryptionKey and an invalid encryptionKeyLength without specifying an encryptionAlgorithm,
there's no error:

 jdench 49 =>java -jar $DERBY_HOME/jars/insane/derbyrun.jar ij
ij version 10.10
ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionKeyLength=5';
ij> 

Derby seems to ignore the length if the key is specified.

The following URLs also succeed with no error -- specifying the default algorithm, and either
the default key length or an incorrect key length:

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=DES/CBC/NoPadding';

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKeyLength=128';

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKeyLength=5';

On the other hand, if I specify an encryptionKey of the default length with a non-default
encryptionAlgorithm, I get an error:

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=AES/CBC/NoPadding';
ERROR XJ041: Failed to create database 'encDB', see the next exception for details.
ERROR XBM01: Startup failed due to an exception. See next exception for details. 
ERROR XBCX0: Exception from Cryptography provider. See next exception for details.
ERROR XJ001: Java exception: 'Invalid key for AES: java.security.InvalidKeyException'.
ERROR XJ001: Java exception: 'Key length must be between 128 and 256 bits: java.security.InvalidAlgorithmParameterException'.
ij> 

I think the key length is 128, so the error message is mysterious. I get the same error if
I add "encryptionKeyLength=128" to the URL. I haven't tried with a non-default key length
because that requires a different policy file, according to "Specifying an alternate encryption
algorithm" in the Developer's Guide.
                
> encryptionKeyLength connection attribute should be documented
> -------------------------------------------------------------
>
>                 Key: DERBY-4229
>                 URL: https://issues.apache.org/jira/browse/DERBY-4229
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 10.5.1.1
>            Reporter: Kathey Marsden
>            Assignee: Kim Haase
>             Fix For: 10.5.2.0, 10.5.3.1, 10.6.2.2, 10.7.1.4, 10.8.2.3, 10.9.1.1, 10.10.0.0
>
>         Attachments: cdevcsecure67151.html, DERBY-4229-2.diff, DERBY-4229-2.stat, DERBY-4229-3.diff,
DERBY-4229.diff, rrefattribencryptkeylength.html, rrefattribencryptkeylength.html
>
>
> The developer guide says:
> The length of the encryption key depends on the algorithm used:
> AES (128, 192, and 256 bits) 
> DES (the default) (56 bits) 
> DESede (168 bits) 
> All other algorithms (128 bits) 
> Note: The boot password should have at least as many characters as number of bytes in
the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16 bytes). The minimum number
of characters for the boot password allowed by Derby is eight.
> For AES, however,  it does not tell how to change the default key length  of 128.  This
can be changed with the encryptionKeyLength connection attribute.  The documentation should
also specify that special policy files for the JRE may be necessary to accomodate the longer
length.
> Also note that there is an outstanding issue DERBY-3710 regarding length of 192 for AES.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message