Upgrade default security mechanism in client to use encrypted userid password
if client can support it.
-------------------------------------------------------------------------------------------------------
Key: DERBY-962
URL: http://issues.apache.org/jira/browse/DERBY-962
Project: Derby
Type: Improvement
Components: Network Client
Reporter: Sunitha Kambhampati
Fix For: 10.2.0.0
Currently in the client, if userid and password are set in the connection url,
the default security mechanism is upgraded to USRIDPWD (which is clear text
userid and password). This seems to be a security hole here.
Current client driver supports encrypted userid/password (EUSRIDPWD) via the
use of DH key-agreement protocol - however current Open Group DRDA
specifications imposes small prime and base generator values (256 bits) that
prevents other JCE's (apt from ibm jce) to be used as java cryptography
providers.
Some thoughts:
-- client can make a check to see if it the jvm it is running in supports the
encryption necessary for EUSRIDPWD. If it supports, then the client can upgrade
to EUSRIDPWD.
-- if the jvm the client is running is , doesnt support encryption requirements
for EUSRIDPWD, then the security mechanism will be set to USRIDPWD.
-- DERBY-528 will add support for strong userid and password which is another
option to send encrypted passwords across the wire. When this gets added, maybe
this can be considered as one of the upgrade options after EUSRIDPWD.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
