db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernt M. Johnsen" <Bernt.John...@Sun.COM>
Subject Re: User/password encryption and deployment
Date Sun, 17 Jun 2007 19:56:56 GMT
>>>>>>>>>>>> Bernt M. Johnsen wrote (2007-06-16 18:43:51):
> >>>>>>>>>>>> derby@segel.com wrote (2007-06-16 07:53:55):
> > [...]
> > > There is, however small issue, if you choose
> > > ENCRYPTED_USER_AND_PASSWORD_SECURITY, newer Sun JCE's (from 1.4, I
> > > think) does not support the shared DHS value defined in the DRDA
> > > protocol. It's too weak. As an alternative solution for passsword
> > > protection, Francois implemented STRONG_PASSWORD_SUBSTITUTE_SECURITY.
> > 
> > Define "too weak".
> 
> "Too week" in the sense that the JCE throws an exception and says that
> it does not support it due to the "shortness" (sorry, I don't remember
> the exact details on a saturday after a few beers in the sun ;-).

Ok. From the Derby docs (EncryptionManager):

// The agreed public value for the Diffie-Hellman prime is 256 bits
// and hence the encrytion will work only if the jce provider supports a 256 bits prime

This is specified in the DRDA protocol, and thus can't be changed by
the Derby delevolpers. With Sun's JCE you get:

java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can
only range from 512 to 1024 (inclusive)

So, Sun's JCE supports primes in the range 512-1024 bits while the
DRDA protocol has specicied a prime of 256 bits. 


-- 
Bernt Marius Johnsen, Database Technology Group, 
Staff Engineer, Technical Lead Derby/Java DB
Sun Microsystems, Trondheim, Norway

Mime
View raw message