Derby / JavaDB 是否真的可以使用 Triple DES 而不是(普通)DES 进行加密?
它似乎混淆了 Triple-DES(>128 位)和普通 DES(64 位)。 我正在尝试使用 Java 1.5 使用 Triple DES(或 DESede)加密 Derby 数据库
我发现这个 讨论论坛消息关于 JDK 1.5 的问题 偶然,因此检查以确保它确实使用 DESede 而不是普通的 DES。当我使用 Triple DES(168 位)URL 创建数据库时,
jdbc:derby:MySecureDB;dataEncryption=true;encryptionAlgorithm=DESede/CBC/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242
我仍然能够打开它并使用(普通)DES(64 位)URL 访问它,
jdbc:derby:MySecureDB;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242
这不是我期望的行为!我应该无法使用错误的加密算法打开它。我如何确保它确实使用正确的(> 128 位)算法对其进行加密?
Derby 似乎使用了 JCECipherProvider.java。我对代码的阅读表明,Derby 处理 Triple DES 的方式与普通 DES 不同...我真的可以相信它使用的是强加密吗?
It seems to be confusing Triple-DES (>128bit) with plain DES (64bit).
I'm trying to encrypt a Derby database with Triple DES (or DESede) using Java 1.5
I found this discussion forum message about a problem with JDK 1.5 by chance and so checked to make sure that it really was using DESede and not plain DES. When I created the database with a Triple DES (168bit) URL
jdbc:derby:MySecureDB;dataEncryption=true;encryptionAlgorithm=DESede/CBC/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242
I was still able to open it and access it with the (plain) DES (64bit) URL
jdbc:derby:MySecureDB;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242
This is not the behavior I expect!!! I should not be able to open it with the wrong encryption algorithm. How can I make sure it really encrypts it with the right (>128bit) algorithm?
Derby seems to use the right function for Java 1.5 mentioned in JCECipherProvider.java. My reading of the code indicates that Derby does not handle Triple DES as different from plain DES... Can I really trust that it is using strong encryption?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我认为文档是错误的,并且您实际上不需要指定使用非默认算法时要使用的加密算法,因为应该使用的算法是在 $DERBY_HOME/database/service.properties 中指定
的例如,当我使用您的参数创建数据库时,我的 service.properties 具有以下内容(以及其他不相关的条目):
您可以通过更改所使用的算法来验证是否使用了该内容。如果将该文件中的指定算法更改为 DES,则将无法重新启动数据库。
例如:
I believe that the documentation is wrong, and that you do not actually need to specify the encryption algorithm to use when using a non-default algorithm, since the algorithm that should be used is specified in $DERBY_HOME/database/service.properties
In my case, when I created a database with your parameters my service.properties had the following contents (amongst other non-relevant entries):
You can verify that this is used, by changing the algorithm used. If you change the specified algorithm in that file to DES, then you will not be able to restart the database.
For example:
根据 使用加密根据 Java DB 开发人员指南,第一个 URL 看起来可以在创建时加密数据库(因为它指定
dataEncryption=true),并且应该生成 168 位加密密钥。现在,仍然根据文档,我认为在引导加密数据库时不应该使用
dataEncryption=true。我的理解是,您只需要使用bootPassword和encryptionAlgorithm。我承认我没有对此进行测试,实际上,我真的想知道到底会发生什么:
dataEncryption并在第二个中使用错误的encryptionAlgorithm网址。dataEncryption=true并使用另一个encryptionAlgorithm时(它会重新创建加密数据库吗?)。文档对此并不清楚。
According to Working with encryption from the Java DB Developer's Guide, the first URL looks fine to encrypt a database on creation (because it specifies
dataEncryption=true) and should have generated a 168 bits encryption key.Now, still according to the documentation, I don't think that you should use
dataEncryption=truewhen Booting an encrypted database. My understanding is that you just need to usebootPasswordandencryptionAlgorithm.I admit I didn't test this and, actually, I'm really wondering what happens exactly:
dataEncryptionand use the wrongencryptionAlgorithmin the 2nd URL.dataEncryption=trueand use anotherencryptionAlgorithm(does it recreate an encrypted database?).The documentation isn't clear about that.
我认为 cryptoAlgorithm 参数仅在您第一次进行加密时(即,当您第一次创建加密数据库时,或者当您第一次加密未加密数据库时)才重要。
一旦你加密了数据库,从那时起,你只需要指定 bootPassword 即可。 Derby 已经知道使用了什么加密算法。
I think the encryptionAlgorithm parameter only matters when you are first doing the encryption (that is, when you are first creating an encrypted database, or when you are first encrypting an unencrypted database).
Once you have encrypted the database, from then on, you just need to specify the bootPassword. Derby already knows what encryption algorithm was used.