[
https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12851516#action_12851516
]
Rick Hillegas commented on DERBY-4483:
--------------------------------------
Hi Knut,
I am not thrilled by using SHA-1 as the default algorithm. It is not considered
secure enough for use by the U.S. government as of this year; see
http://en.wikipedia.org/wiki/SHA_hash_functions I would prefer to see a
solution like this:
1) If the user specifies an algorithm, use it
2) Otherwise, try to use SHA-256
3) If SHA_256 isn't available, fall back on SHA-1
4) If even that isn't available, then raise an error
What do you think?
Thanks,
-Rick
> Provide a way to change the hash algorithm used by BUILTIN authentication
> -------------------------------------------------------------------------
>
> Key: DERBY-4483
> URL: https://issues.apache.org/jira/browse/DERBY-4483
> Project: Derby
> Issue Type: Improvement
> Components: Services
> Affects Versions: 10.5.3.0
> Reporter: Knut Anders Hatlen
> Assignee: Knut Anders Hatlen
> Priority: Minor
> Fix For: 10.6.0.0
>
> Attachments: comments.diff, derby-4483-1a.diff, derby-4483-1a.stat,
> derby-4483-2a.diff, derby-4483-2a.stat, errormsg.diff, experiment.diff,
> releaseNote.html, releaseNote.html, toHexByte.diff, upgrade-test.diff
>
>
> The BUILTIN authentication scheme protects the passwords by hashing them with
> the SHA-1 algorithm. It would be nice to have way to specify a different
> algorithm so that users can take advantage of new, stronger algorithms
> provided by their JCE provider if so desired.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
