db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernt M. Johnsen" <Bernt.John...@Sun.COM>
Subject Re: User/password encryption and deployment
Date Mon, 18 Jun 2007 08:38:06 GMT
>>>>>>>>>>>> David Van Couvering wrote (2007-06-17 18:14:38):
> Oh, I get it now, 10.3 will add support for SSL.  But this will
> encrypt all network traffic.  If you just want to encrypt the
> password, you have to use the existing password encryption
> functionality (either ENCRYPT or STRONG SUBSTITUTION), right?

If you want to encrypt the password, you use
ENCRYPTED_USER_AND_PASSWORD_SECURITY, but that's not supported by
Sun's JCE due to a too short DRDA DHS shared prime (just 256 bits).

An alternative is then to use STRONG_PASSWORD_SUBSTITUTE_SECURITY,
which sends a hashed password. (Hashing in this context is a kind of
one-way encryption. To verify the password, the server repeats the
hashing and compares hash values). 

> And for 10.2, there is no SSL support, right?

Correct.

> 
> David
> 
> On 6/16/07, Andrew McIntyre <mcintyre.a@gmail.com> wrote:
> >On 6/15/07, Bill Shannon <bill.shannon@sun.com> wrote:
> >>
> >> I think the idea is to protect the communication between the client
> >> and the server so that passwords aren't sent in the clear.  None of
> >> the data being stored in the database is being encrypted, just the
> >> client/server communication.
> >>
> >> It *is* 2007.  Isn't this pretty much standard by now?
> >
> >See the discussion in http://issues.apache.org/jira/browse/DERBY-65
> >
> >SSL is the recommended alternative to using the secure password
> >protocol defined by the DRDA specification. Bernt Johnsen worked on
> >this for 10.3, due out shortly, and it appears to be complete:
> >
> >https://issues.apache.org/jira/browse/DERBY-2108
> >
> >andrew
> >

-- 
Bernt Marius Johnsen, Database Technology Group, 
Staff Engineer, Technical Lead Derby/Java DB
Sun Microsystems, Trondheim, Norway

Mime
View raw message