[ http://issues.apache.org/jira/browse/DERBY-962?page=all ]
Sunitha Kambhampati reassigned DERBY-962:
-----------------------------------------
Assign To: Sunitha Kambhampati
> Upgrade default security mechanism in client to use encrypted userid password
> if client can support it.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-962
> URL: http://issues.apache.org/jira/browse/DERBY-962
> Project: Derby
> Type: Improvement
> Components: Network Client
> Reporter: Sunitha Kambhampati
> Assignee: Sunitha Kambhampati
> Fix For: 10.2.0.0
>
> Currently in the client, if userid and password are set in the connection
> url, the default security mechanism is upgraded to USRIDPWD (which is clear
> text userid and password). This seems to be a security hole here.
> Current client driver supports encrypted userid/password (EUSRIDPWD) via the
> use of DH key-agreement protocol - however current Open Group DRDA
> specifications imposes small prime and base generator values (256 bits) that
> prevents other JCE's (apt from ibm jce) to be used as java cryptography
> providers.
> Some thoughts:
> -- client can make a check to see if it the jvm it is running in supports the
> encryption necessary for EUSRIDPWD. If it supports, then the client can
> upgrade to EUSRIDPWD.
> -- if the jvm the client is running is , doesnt support encryption
> requirements for EUSRIDPWD, then the security mechanism will be set to
> USRIDPWD.
> -- DERBY-528 will add support for strong userid and password which is another
> option to send encrypted passwords across the wire. When this gets added,
> maybe this can be considered as one of the upgrade options after EUSRIDPWD.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
