db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kim Haase (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-4229) encryptionKeyLength connection attribute should be documented
Date Thu, 27 Sep 2012 19:05:07 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13464988#comment-13464988
] 

Kim Haase commented on DERBY-4229:
----------------------------------

On the other hand, if I use bootPassword with an invalid encryptionKeyLength, other interesting
things happen.

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;bootPassword=Thursday;encryptionKeyLength=5';
ERROR XJ041: Failed to create database 'encDB', see the next exception for details.
ERROR XBM01: Startup failed due to an exception. See next exception for details. 
ERROR XJ001: Java exception: ': java.security.InvalidParameterException'.
ERROR XJ001: Java exception: 'DES key length must be 56 bits: java.security.InvalidAlgorithmParameterException'.

This is interesting, because we say the default key length is 128. If I specify 56, I get
no error. But if I specify 128, I get an error:

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;bootPassword=Thursday;encryptionKeyLength=128';
ERROR XJ041: Failed to create database 'encDB', see the next exception for details.
ERROR XBM01: Startup failed due to an exception. See next exception for details. 
ERROR XJ001: Java exception: ': java.security.InvalidParameterException'.
ERROR XJ001: Java exception: 'DES key length must be 56 bits: java.security.InvalidAlgorithmParameterException'.

Apparently the default is 128 for AES, not for DES. The following command succeeds:

ij> connect 'jdbc:derby:encDB;create=true;dataEncryption=true;bootPassword=Thursday;encryptionAlgorithm=AES/CBC/NoPadding;encryptionKeyLength=128';

So why did a 128-bit encryptionKey argument succeed? 

                
> encryptionKeyLength connection attribute should be documented
> -------------------------------------------------------------
>
>                 Key: DERBY-4229
>                 URL: https://issues.apache.org/jira/browse/DERBY-4229
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 10.5.1.1
>            Reporter: Kathey Marsden
>            Assignee: Kim Haase
>             Fix For: 10.5.2.0, 10.5.3.1, 10.6.2.2, 10.7.1.4, 10.8.2.3, 10.9.1.1, 10.10.0.0
>
>         Attachments: cdevcsecure67151.html, DERBY-4229-2.diff, DERBY-4229-2.stat, DERBY-4229-3.diff,
DERBY-4229.diff, rrefattribencryptkeylength.html, rrefattribencryptkeylength.html
>
>
> The developer guide says:
> The length of the encryption key depends on the algorithm used:
> AES (128, 192, and 256 bits) 
> DES (the default) (56 bits) 
> DESede (168 bits) 
> All other algorithms (128 bits) 
> Note: The boot password should have at least as many characters as number of bytes in
the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16 bytes). The minimum number
of characters for the boot password allowed by Derby is eight.
> For AES, however,  it does not tell how to change the default key length  of 128.  This
can be changed with the encryptionKeyLength connection attribute.  The documentation should
also specify that special policy files for the JRE may be necessary to accomodate the longer
length.
> Also note that there is an outstanding issue DERBY-3710 regarding length of 192 for AES.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message