Derby
  1. Derby
  2. DERBY-5550

Document derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 10.9.1.0
    • Fix Version/s: 10.9.1.0
    • Component/s: Documentation
    • Labels:
      None

      Description

      DERBY-5539 introduced two new properties that control how BUILTIN stores credentials:

      • derby.authentication.builtin.saltLength (default: 16)

      This property specifies the number of bytes of random salt that will be added to the credentials before hashing them. (Purpose of the property: Make it infeasible to construct rainbow tables.)

      • derby.authentication.builtin.iterations (default: 1000, minimum: 1)

      This property specifies the number of times to apply the hash function (which is specified by derby.authentication.builtin.algorithm) on the credentials. (Purpose of the property: Slow down attackers as they'll need to spend more time calculating hashes.)

      Both the properties have effect only if BUILTIN authentication is enabled and derby.authentication.builtin.algorithm has a non-null value.

      1. DERBY-5550.diff
        10 kB
        Kim Haase
      2. DERBY-5550.stat
        0.2 kB
        Kim Haase
      3. DERBY-5550.zip
        18 kB
        Kim Haase
      4. DERBY-5550-2.diff
        10 kB
        Kim Haase
      5. DERBY-5550-2.zip
        18 kB
        Kim Haase

        Issue Links

          Activity

          Hide
          Kim Haase added a comment -

          Hi, Knut,

          Can you tell me whether these properties are dynamic or static?

          Thanks,
          Kim

          Show
          Kim Haase added a comment - Hi, Knut, Can you tell me whether these properties are dynamic or static? Thanks, Kim
          Hide
          Knut Anders Hatlen added a comment -

          Hi Kim,

          These properties are dynamic.

          Show
          Knut Anders Hatlen added a comment - Hi Kim, These properties are dynamic.
          Hide
          Kim Haase added a comment -

          Thanks very much, Knut, for the quick reply!

          I'm attaching DERBY-5550.diff, DERBY-5550.stat, and DERBY-5550.zip, with changes as follows:

          M src/ref/crefproper22250.dita
          A src/ref/rrefproperiterations.dita
          A src/ref/rrefpropersaltlength.dita
          M src/ref/refderby.ditamap
          M src/devguide/rdevcsecure557.dita
          M src/devguide/cdevcsecurenativeauth.dita

          In addition to adding topics for the two new properties, I added them to the table of properties in the Reference Manual and, in the Developer's Guide, added mentions of them to the NATIVE authentication topic and the list of authentication-related properties.

          Please let me know of any changes that are needed. There might also be other topics that should mention these properties. Thanks again!

          Show
          Kim Haase added a comment - Thanks very much, Knut, for the quick reply! I'm attaching DERBY-5550 .diff, DERBY-5550 .stat, and DERBY-5550 .zip, with changes as follows: M src/ref/crefproper22250.dita A src/ref/rrefproperiterations.dita A src/ref/rrefpropersaltlength.dita M src/ref/refderby.ditamap M src/devguide/rdevcsecure557.dita M src/devguide/cdevcsecurenativeauth.dita In addition to adding topics for the two new properties, I added them to the table of properties in the Reference Manual and, in the Developer's Guide, added mentions of them to the NATIVE authentication topic and the list of authentication-related properties. Please let me know of any changes that are needed. There might also be other topics that should mention these properties. Thanks again!
          Hide
          Knut Anders Hatlen added a comment -

          Thanks, Kim. The changes look good and complete to me. Two tiny comments:

          • Maybe we should just say "difficult" instead of "extremely difficult" in the description of the saltLength property?
          • In the NATIVE authentication topic, we now say: "Two related properties are derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations, which make the encrypted passwords harder for attackers to decipher."

          The properties don't necessarily make it harder for attackers, for example if they are set to values lower than their defaults. So maybe change the last clause to "which may be used to ..."?

          Another small issue with that sentence is that it says the passwords are encrypted in the database (that's also said some other places in the NATIVE authentication topic). The passwords are hashed, not encrypted, so we might want to change "encrypted passwords" -> "hashed passwords" and maybe also "decipher" -> "crack".

          Show
          Knut Anders Hatlen added a comment - Thanks, Kim. The changes look good and complete to me. Two tiny comments: Maybe we should just say "difficult" instead of "extremely difficult" in the description of the saltLength property? In the NATIVE authentication topic, we now say: "Two related properties are derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations, which make the encrypted passwords harder for attackers to decipher." The properties don't necessarily make it harder for attackers, for example if they are set to values lower than their defaults. So maybe change the last clause to "which may be used to ..."? Another small issue with that sentence is that it says the passwords are encrypted in the database (that's also said some other places in the NATIVE authentication topic). The passwords are hashed, not encrypted, so we might want to change "encrypted passwords" -> "hashed passwords" and maybe also "decipher" -> "crack".
          Hide
          Kim Haase added a comment -

          Thanks very much for the comments, Knut. I've incorporated them into DERBY-5550-2.diff and DERBY-5550-2.zip, I hope. (Verbatim except for changing "may" to "can", I think.)

          Show
          Kim Haase added a comment - Thanks very much for the comments, Knut. I've incorporated them into DERBY-5550 -2.diff and DERBY-5550 -2.zip, I hope. (Verbatim except for changing "may" to "can", I think.)
          Hide
          Knut Anders Hatlen added a comment -

          Thanks. +1 to commit.

          Show
          Knut Anders Hatlen added a comment - Thanks. +1 to commit.
          Hide
          Kim Haase added a comment -

          Thanks again, Knut!

          Once again, no commit email, but I committed patch DERBY-5550-2.diff to documentation trunk at revision 1305875.

          Show
          Kim Haase added a comment - Thanks again, Knut! Once again, no commit email, but I committed patch DERBY-5550 -2.diff to documentation trunk at revision 1305875.
          Hide
          Kim Haase added a comment -

          Changes have appeared in Latest Alpha Manuals.

          Show
          Kim Haase added a comment - Changes have appeared in Latest Alpha Manuals.

            People

            • Assignee:
              Kim Haase
              Reporter:
              Knut Anders Hatlen
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development