Security Mechanisms in Network Server and Client

Specifications:DRDA manual: Section 4.4.2 talks about drda security flows.
Pg 92,has table of security mechanism and secmec mapping.

NetworkServer and Client have code to support following security mechanisms.
Table of supported security mechanisms

SecMec

SecMec codepoint value

User friendly name

USRIDONL

0x04

USER_ONLY_SECURITY

USRIDPWD

0x03

CLEAR_TEXT_PASSWORD_SECURITY

EUSRIDPWD

0x09

ENCRYPTED_USER_AND_PASSWORD_SECURITY


Please read the spec for detailed information. But in short the table below specifies what information is needed for security mechanism

SecMec

Information sent to server

USRIDONL

Needs only user information and client will send userid in clear text

USRIDPWD

Needs user and password information, and they will be sent to server in clear text ( huge security concern)

EUSRIDPWD

Needs user and password information and client will send encrypted userid and encrypted password to server.

Special case of EUSRIDPWD:

Server and client support encrypted userid/password (EUSRIDPWD) via the use of DH key-agreement protocol - however current Open Group DRDA specifications imposes small prime and base generator values (256 bits) that prevents other JCE's to be used as java cryptography providers - typical minimum security requirements is usually of 1024 bits (512-bit absolute minimum) when using DH key-agreement protocol to generate a session key.(Reference: DDM manual, page 281 and 282.  Section: Generating the shared private key. DRDA's diffie helman agreed public values for prime are 256 bits.  The spec gives the public values for the prime, generator and the size of exponent required for DH . These values must be used as is to generate  a shared private key.)

Encryption is done using JCE. Hence JCE support of the necessary algorithm is required for a particular security mechanism to work. Thus even though the server and client have code to support EUSRIDPWD, this security mechanism will not work in all JVMs. Below see some of the tested jvms's and if the jce supports algorithms needed for EUSRIDPWD.

Table: JVM (jce) support for secmec.

SecMec

Sun JVM

IBM JVM 1.4.1

IBM JVM 1.4.2

IBM JVM 1.3.1

IBM JVM 1.5

EUSRIDPWD

N

Y

Y

N

Y

USRIDONL

Y

Y

Y

Y

Y

USRIDPWD

Y

Y

Y

Y

Y

(Note: some older versions of ibm142 ( released in 2004) had a bug that wouldnt support DH prime of 32bytes. This has been fixed in later releases).

Client behaviors:

10.1 Client Behavior with respect to security mechanism.

10.2 Client Behavior with respect to security mechanism.

JCC 2.4 Behavior

JCC2.6 Behavior

ODBC Client (DB2 RTLite)
[Tested with DB2 RTLite client - db2level output is DB21085I Instance "DB2" uses "32" bits and DB2 code release "SQL08023" with level identifier "03040106". Informational tokens are "DB2 v8.1.10.812", "s050811", "WR21362", and FixPak "10"]

Server behavior:
10.1 Server

10.2 Server

Table: Server behavior with derby.drda.securityMechanism set and not set.

Client sends SECMEC value to server

derby.drda.securityMechanism not set

Server started with derby.drda.securityMechanism=USER_ONLY_SECURITY

Server started with derby.drda.securityMechanism=ENCRYPTED_USER_AND_PASSWORD_SECURITY

Server started with derby.drda.securityMechanism=CLEAR_TEXT_PASSWORD_SECURITY

0x04

OK

OK

REJECT connection

REJECT connection

0x03

OK

REJECT connection

REJECT connection

OK

0x09

OK

REJECT connection

OK

REJECT connection


Behavior with derby.drda.securityMechanism set on server.


DERBY-962 - Client upgrade logic for security mechanism and table with different permutations. see method comments in testAllCombinationsOfUserPasswordSecMecInput in test derbynet/testSecMec.java. http://svn.apache.org/viewcvs.cgi/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/testSecMec.java?rev=386501&view=markup

Appendix::
DRDA Specifications
Article talks about how to connect via odbc using db2 client to derby server. http://www-128.ibm.com/developerworks/db2/library/techarticle/dm-0409kartha/



SecurityMechanism (last edited 2009-09-20 22:12:18 by localhost)