[jira] Resolved: (DERBY-962) Upgrade default security mechanism in client to use encrypted userid password if client can support it.

Thu, 16 Mar 2006 19:42:39 -0800 

     [ http://issues.apache.org/jira/browse/DERBY-962?page=all ]
     
Kathey Marsden resolved DERBY-962:
----------------------------------

    Resolution: Fixed

Checked this into the trunk:

Date: Thu Mar 16 17:11:50 2006
New Revision: 386501

URL: http://svn.apache.org/viewcvs?rev=386501&view=rev


> Upgrade default security mechanism in client to use encrypted userid password 
> if client can support it.
> -------------------------------------------------------------------------------------------------------
>
>          Key: DERBY-962
>          URL: http://issues.apache.org/jira/browse/DERBY-962
>      Project: Derby
>         Type: Improvement
>   Components: Network Client
>     Reporter: Sunitha Kambhampati
>     Assignee: Sunitha Kambhampati
>      Fix For: 10.2.0.0
>  Attachments: 962_table.txt, Derby962.diff.txt, Derby962.stat.txt, 
> Derby962_forreview.diff.txt, Derby962_forreview.stat.txt
>
> Currently in the client, if userid and password are set in the connection 
> url, the default security mechanism is upgraded to USRIDPWD (which is clear 
> text userid and password).  This seems to be a security hole here. 
> Current client  driver supports encrypted userid/password (EUSRIDPWD) via the 
> use of DH key-agreement protocol - however current Open Group DRDA 
> specifications imposes small prime and base generator values (256 bits) that 
> prevents other JCE's  (apt from ibm jce) to be used as java cryptography 
> providers.  
> Some thoughts:
> -- client can make a check to see if it the jvm it is running in supports the 
> encryption necessary for EUSRIDPWD. If it supports, then the client can 
> upgrade to EUSRIDPWD. 
> -- if the jvm the client is running is , doesnt support encryption 
> requirements for EUSRIDPWD, then the security mechanism will be set to 
> USRIDPWD.
> -- DERBY-528 will add support for strong userid and password which is another 
> option to send encrypted passwords across the wire. When this gets added, 
> maybe this can be considered as one of the upgrade options after EUSRIDPWD. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to