Return-Path: Delivered-To: apmail-db-derby-user-archive@www.apache.org Received: (qmail 59428 invoked from network); 17 Jun 2007 19:57:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 17 Jun 2007 19:57:24 -0000 Received: (qmail 66502 invoked by uid 500); 17 Jun 2007 19:57:26 -0000 Delivered-To: apmail-db-derby-user-archive@db.apache.org Received: (qmail 66472 invoked by uid 500); 17 Jun 2007 19:57:26 -0000 Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Reply-To: "Derby Discussion" Delivered-To: mailing list derby-user@db.apache.org Received: (qmail 66461 invoked by uid 99); 17 Jun 2007 19:57:26 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Jun 2007 12:57:26 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [192.18.1.36] (HELO gmp-ea-fw-1.sun.com) (192.18.1.36) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Jun 2007 12:57:21 -0700 Received: from d1-emea-09.sun.com ([192.18.2.119]) by gmp-ea-fw-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l5HJuwci027535 for ; Sun, 17 Jun 2007 19:56:58 GMT Received: from conversion-daemon.d1-emea-09.sun.com by d1-emea-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0JJS00F01PTTV000@d1-emea-09.sun.com> (original mail from Bernt.Johnsen@Sun.COM) for derby-user@db.apache.org; Sun, 17 Jun 2007 20:56:57 +0100 (BST) Received: from localhost (245.84-48-194.nextgentel.com [84.48.194.245]) by d1-emea-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0JJS00567Q2XTO00@d1-emea-09.sun.com>; Sun, 17 Jun 2007 20:56:57 +0100 (BST) Date: Sun, 17 Jun 2007 21:56:56 +0200 From: "Bernt M. Johnsen" Subject: Re: User/password encryption and deployment In-reply-to: <20070616164351.GB4882@localhost.localdomain> Sender: Bernt.Johnsen@Sun.COM To: Derby Discussion , msegel@segel.com Message-id: <20070617195656.GA19496@localhost.localdomain> Organization: Sun Microsystems MIME-version: 1.0 Content-type: multipart/signed; boundary=7JfCtLOvnd9MIVvH; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-disposition: inline References: <20070616081901.GA4882@localhost.localdomain> <20070616130140.C493D52544@dbrack01.segel.com> <20070616164351.GB4882@localhost.localdomain> User-Agent: Mutt/1.5.11 X-Virus-Checked: Checked by ClamAV on apache.org --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable >>>>>>>>>>>> Bernt M. Johnsen wrote (2007-06-16 18:43:51): > >>>>>>>>>>>> derby@segel.com wrote (2007-06-16 07:53:55): > > [...] > > > There is, however small issue, if you choose > > > ENCRYPTED_USER_AND_PASSWORD_SECURITY, newer Sun JCE's (from 1.4, I > > > think) does not support the shared DHS value defined in the DRDA > > > protocol. It's too weak. As an alternative solution for passsword > > > protection, Francois implemented STRONG_PASSWORD_SUBSTITUTE_SECURITY. > >=20 > > Define "too weak". >=20 > "Too week" in the sense that the JCE throws an exception and says that > it does not support it due to the "shortness" (sorry, I don't remember > the exact details on a saturday after a few beers in the sun ;-). Ok. From the Derby docs (EncryptionManager): // The agreed public value for the Diffie-Hellman prime is 256 bits // and hence the encrytion will work only if the jce provider supports a 25= 6 bits prime This is specified in the DRDA protocol, and thus can't be changed by the Derby delevolpers. With Sun's JCE you get: java.security.InvalidAlgorithmParameterException: Prime size must be multip= le of 64, and can only range from 512 to 1024 (inclusive) So, Sun's JCE supports primes in the range 512-1024 bits while the DRDA protocol has specicied a prime of 256 bits.=20 --=20 Bernt Marius Johnsen, Database Technology Group,=20 Staff Engineer, Technical Lead Derby/Java DB Sun Microsystems, Trondheim, Norway --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGdZIIlFBD9TXBAPARAgZOAKCXjUJ6FNCsoeKKTz9XL/BtZRYHyACfXG/X 58D9YTBMpyj2DK4vTMRJ4eU= =9g5a -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH--