[
https://issues.apache.org/jira/browse/DERBY-4229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13464973#comment-13464973
]
Kim Haase commented on DERBY-4229:
----------------------------------
Hm. If I specify encryptionKey and an invalid encryptionKeyLength without
specifying an encryptionAlgorithm, there's no error:
jdench 49 =>java -jar $DERBY_HOME/jars/insane/derbyrun.jar ij
ij version 10.10
ij> connect
'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionKeyLength=5';
ij>
Derby seems to ignore the length if the key is specified.
The following URLs also succeed with no error -- specifying the default
algorithm, and either the default key length or an incorrect key length:
ij> connect
'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=DES/CBC/NoPadding';
ij> connect
'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKeyLength=128';
ij> connect
'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKeyLength=5';
On the other hand, if I specify an encryptionKey of the default length with a
non-default encryptionAlgorithm, I get an error:
ij> connect
'jdbc:derby:encDB;create=true;dataEncryption=true;encryptionKey=6162636465666768;encryptionAlgorithm=AES/CBC/NoPadding';
ERROR XJ041: Failed to create database 'encDB', see the next exception for
details.
ERROR XBM01: Startup failed due to an exception. See next exception for
details.
ERROR XBCX0: Exception from Cryptography provider. See next exception for
details.
ERROR XJ001: Java exception: 'Invalid key for AES:
java.security.InvalidKeyException'.
ERROR XJ001: Java exception: 'Key length must be between 128 and 256 bits:
java.security.InvalidAlgorithmParameterException'.
ij>
I think the key length is 128, so the error message is mysterious. I get the
same error if I add "encryptionKeyLength=128" to the URL. I haven't tried with
a non-default key length because that requires a different policy file,
according to "Specifying an alternate encryption algorithm" in the Developer's
Guide.
> encryptionKeyLength connection attribute should be documented
> -------------------------------------------------------------
>
> Key: DERBY-4229
> URL: https://issues.apache.org/jira/browse/DERBY-4229
> Project: Derby
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 10.5.1.1
> Reporter: Kathey Marsden
> Assignee: Kim Haase
> Fix For: 10.5.2.0, 10.5.3.1, 10.6.2.2, 10.7.1.4, 10.8.2.3,
> 10.9.1.1, 10.10.0.0
>
> Attachments: cdevcsecure67151.html, DERBY-4229-2.diff,
> DERBY-4229-2.stat, DERBY-4229-3.diff, DERBY-4229.diff,
> rrefattribencryptkeylength.html, rrefattribencryptkeylength.html
>
>
> The developer guide says:
> The length of the encryption key depends on the algorithm used:
> AES (128, 192, and 256 bits)
> DES (the default) (56 bits)
> DESede (168 bits)
> All other algorithms (128 bits)
> Note: The boot password should have at least as many characters as number of
> bytes in the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16
> bytes). The minimum number of characters for the boot password allowed by
> Derby is eight.
> For AES, however, it does not tell how to change the default key length of
> 128. This can be changed with the encryptionKeyLength connection attribute.
> The documentation should also specify that special policy files for the JRE
> may be necessary to accomodate the longer length.
> Also note that there is an outstanding issue DERBY-3710 regarding length of
> 192 for AES.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
