db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: User/password encryption and deployment
Date Sat, 16 Jun 2007 16:25:56 GMT
Bernt M. Johnsen wrote:
>>>>>>>>>>>>> Michael Segel wrote (2007-06-16 00:23:56):
>> Which is why I'm a little suspect that the *only* way to do encryption on
>> the wire is to be forced to bring in IBM's JCE.
> 
> You don't need the IBM JCE. Sun's JDK comes with and JCE which works
> just fine. The docs tries to tell you that if you use an old IBM
> environment, you need to install IBMS JCE searately.

That section (installing an IBM JCE) should be removed from the 
documentation for 10.3 onwards since JDK 1.4 is the lowest supported JVM 
level.

> 
> There is, however small issue, if you choose
> ENCRYPTED_USER_AND_PASSWORD_SECURITY, newer Sun JCE's (from 1.4, I
> think) does not support the shared DHS value defined in the DRDA
> protocol. It's too weak. As an alternative solution for passsword
> protection, Francois implemented STRONG_PASSWORD_SUBSTITUTE_SECURITY.

This information would be great to add to the docs. Restating the 
requirements in terms of a JCE that supports "the shared DHS value 
defined in the DRDA protocol" (whatever the correct JCE term for that 
is) and not specifically the IBM JCE. The documentation then should 
state that this is not supported by some JCEs due to its weakness and an 
alternative is to use STRONG_PASSWORD_SUBSTITUTE_SECURITY (and/or SSL?).

Dan.


Mime
View raw message