Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can Derby / JavaDB _really_ encrypt with Triple DES rather than (plain) DES?

It seems to be confusing Triple-DES (>128bit) with plain DES (64bit). I'm trying to encrypt a Derby database with Triple DES (or DESede) using Java 1.5

I found this discussion forum message about a problem with JDK 1.5 by chance and so checked to make sure that it really was using DESede and not plain DES. When I created the database with a Triple DES (168bit) URL

jdbc:derby:MySecureDB;dataEncryption=true;encryptionAlgorithm=DESede/CBC/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242

I was still able to open it and access it with the (plain) DES (64bit) URL

jdbc:derby:MySecureDB;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242

This is not the behavior I expect!!! I should not be able to open it with the wrong encryption algorithm. How can I make sure it really encrypts it with the right (>128bit) algorithm?

Derby seems to use the right function for Java 1.5 mentioned in JCECipherProvider.java. My reading of the code indicates that Derby does not handle Triple DES as different from plain DES... Can I really trust that it is using strong encryption?

like image 948
sventechie Avatar asked Dec 17 '09 22:12

sventechie


People also ask

Why is DES better than Triple DES?

Part of what Triple DES does is to protect against brute force attacks. The original DES symmetric encryption algorithm specified the use of 56-bit keys -- not enough, by 1999, to protect against practical brute force attacks. Triple DES specifies the use of three distinct DES keys, for a total key length of 168 bits.

What is 3DES encryption used for?

3DES is an encryption cipher derived from the original Data Encryption Standard (DES). 3DES was first introduced in 1998, the algorithm is primarily adopted in finance and other private industry to encrypt data-at-rest and data-in-transit.

What is the security level of 3DES using three independent keys?

History. In 1978, a triple encryption method using DES with two 56-bit keys was proposed by Walter Tuchman; in 1981 Merkle and Hellman proposed a more secure triple key version of 3DES with 112 bits of security.

Can 3DES be decrypted?

Without the key, the 112-bit 3DES cannot be decrypted. Unless you have a means to steal the shared key, even the most powerful brute-force engines currently available will take longer than the planet's expected lifespan to find the key.


1 Answers

I believe that the documentation is wrong, and that you do not actually need to specify the encryption algorithm to use when using a non-default algorithm, since the algorithm that should be used is specified in $DERBY_HOME/database/service.properties

In my case, when I created a database with your parameters my service.properties had the following contents (amongst other non-relevant entries):

log_encrypt_algorithm_version=1
encryptionAlgorithm=DESede/CBC/NoPadding
dataEncryption=true
derby.encryptionBlockSize=8
encryptionKeyLength=168-24
encryptedBootPassword=472b7cc5600605333392dd10a46067d2e2935fd4c350d533-43435
data_encrypt_algorithm_version=1

You can verify that this is used, by changing the algorithm used. If you change the specified algorithm in that file to DES, then you will not be able to restart the database.

For example:

$ ../bin/ij
ij version 10.4
ij> connect 'jdbc:derby:testdb;create=true;dataEncryption=true;encryptionAlgorithm=Blowfish/ECB/NoPadding;bootPassword=$ecureC@deCanBr@kE0074242';
ij> quit;
$ sed -i .o 's/Blowfish/DES/' testdb/service.properties 
$ ../bin/ij
ij version 10.4
ij> connect 'jdbc:derby:testdb;bootPassword=$ecureC@deCanBr@kE0074242';
ERROR XJ040: Failed to start database 'testdb', see the next exception for details.
ERROR XBM06: Startup failed. An encrypted database cannot be accessed without the correct boot password.  
ij> quit;
$ sed -i .o 's/DES/Blowfish/' testdb/service.properties 
$ ../bin/ij
ij version 10.4
ij> connect 'jdbc:derby:testdb;bootPassword=$ecureC@deCanBr@kE0074242';
ij> quit;
$ 
like image 157
Paul Wagland Avatar answered Sep 30 '22 01:09

Paul Wagland