Stored Password Protection enables an application to provide a connection password in encrypted form to the driver.
An encrypted password may be specified in the following contexts:
- A login password specified as the
passwordconnection parameter. - A login password specified within the
logdataconnection parameter.
If the password, however specified, begins with the prefix ENCRYPTED_PASSWORD( then the specified password must follow this format:
ENCRYPTED_PASSWORD(file:PasswordEncryptionKeyFileName,file:EncryptedPasswordFileName)
Each filename must be preceded by the file: prefix. The PasswordEncryptionKeyFileName must be separated from the EncryptedPasswordFileName by a single comma.
The PasswordEncryptionKeyFileName specifies the name of a file that contains the password encryption key and associated information. The EncryptedPasswordFileName specifies the name of a file that contains the encrypted password and associated information. The two files are described below.
Stored Password Protection is offered by this driver, the Teradata JDBC Driver, and the Teradata SQL Driver for R. These drivers use the same file format.
TJEncryptPassword.py is a sample program to create encrypted password files for use with Stored Password Protection. When the driver is installed, the sample programs are placed in the teradatasql/samples directory under your Python installation directory.
This program works in conjunction with Stored Password Protection offered by the driver. This program creates the files containing the password encryption key and encrypted password, which can be subsequently specified via the ENCRYPTED_PASSWORD( syntax.
You are not required to use this program to create the files containing the password encryption key and encrypted password. You can develop your own software to create the necessary files. You may also use the TJEncryptPassword.java sample program that is available with the Teradata JDBC Driver Reference. The only requirement is that the files must match the format expected by the driver, which is documented below.
This program encrypts the password and then immediately decrypts the password, in order to verify that the password can be successfully decrypted. This program mimics the password decryption of the driver, and is intended to openly illustrate its operation and enable scrutiny by the community.
The encrypted password is only as safe as the two files. You are responsible for restricting access to the files containing the password encryption key and encrypted password. If an attacker obtains both files, the password can be decrypted. The operating system file permissions for the two files should be as limited and restrictive as possible, to ensure that only the intended operating system userid has access to the files.
The two files can be kept on separate physical volumes, to reduce the risk that both files might be lost at the same time. If either or both of the files are located on a network volume, then an encrypted wire protocol can be used to access the network volume, such as sshfs, encrypted NFSv4, or encrypted SMB 3.0.
This program accepts eight command-line arguments:
| Argument | Example | Description |
|---|---|---|
| Transformation | AES/CBC/NoPadding |
Specifies the transformation in the form Algorithm/Mode/Padding. Supported transformations are listed in a table below. |
| KeySizeInBits | 256 |
Specifies the algorithm key size, which governs the encryption strength. |
| MAC | HmacSHA256 |
Specifies the message authentication code (MAC) algorithm HmacSHA1 or HmacSHA256. |
| PasswordEncryptionKeyFileName | PassKey.properties |
Specifies a filename in the current directory, a relative pathname, or an absolute pathname. The file is created by this program. If the file already exists, it will be overwritten by the new file. |
| EncryptedPasswordFileName | EncPass.properties |
Specifies a filename in the current directory, a relative pathname, or an absolute pathname. The filename or pathname that must differ from the PasswordEncryptionKeyFileName. The file is created by this program. If the file already exists, it will be overwritten by the new file. |
| Hostname | whomooz |
Specifies the database hostname. |
| Username | guest |
Specifies the database username. |
| Password | please |
Specifies the database password to be encrypted. Unicode characters in the password can be specified with the \uXXXX escape sequence. |
The TJEncryptPassword program uses the driver to log on to the specified database using the encrypted password, so the driver must have been installed with the pip install teradatasql command.
The following commands assume that the TJEncryptPassword.py program file is located in the current directory. When the driver is installed, the sample programs are placed in the teradatasql/samples directory under your Python installation directory. Change your current directory to the teradatasql/samples directory under your Python installation directory.
The following example commands illustrate using a 256-bit AES key, and using the HmacSHA256 algorithm.
| Platform | Command |
|---|---|
| macOS or Linux | python TJEncryptPassword.py AES/CBC/NoPadding 256 HmacSHA256 PassKey.properties EncPass.properties whomooz guest please |
| Windows | py -3 TJEncryptPassword.py AES/CBC/NoPadding 256 HmacSHA256 PassKey.properties EncPass.properties whomooz guest please |
You are not required to use the TJEncryptPassword program to create the files containing the password encryption key and encrypted password. You can develop your own software to create the necessary files, but the files must match the format expected by the driver.
The password encryption key file is a text file in Java Properties file format, using the ISO 8859-1 character encoding.
The file must contain the following string properties:
| Property | Description |
|---|---|
version=1 |
The version number must be 1. This property is required. |
transformation=Algorithm/Mode/Padding |
Specifies the transformation in the form Algorithm/Mode/Padding. Supported transformations are listed in a table below. This property is required. |
algorithm=Algorithm |
This value must correspond to the Algorithm portion of the transformation. This property is required. |
match=MatchValue |
The password encryption key and encrypted password files must contain the same match value. The match values are compared to ensure that the two specified files are related to each other, serving as a "sanity check" to help avoid configuration errors. This property is required. |
key=HexDigits |
This value is the password encryption key, encoded as hex digits. This property is required. |
mac=MACAlgorithm |
Specifies the message authentication code (MAC) algorithm HmacSHA1 or HmacSHA256. Stored Password Protection performs Encrypt-then-MAC for protection from a padding oracle attack. This property is required. |
mackey=HexDigits |
This value is the MAC key, encoded as hex digits. This property is required. |
The TJEncryptPassword program uses a timestamp as a shared match value, but a timestamp is not required. Any shared string can serve as a match value. The timestamp is not related in any way to the encryption of the password, and the timestamp cannot be used to decrypt the password.
The encrypted password file is a text file in Java Properties file format, using the ISO 8859-1 character encoding.
The file must contain the following string properties:
| Property | Description |
|---|---|
version=1 |
The version number must be 1. This property is required. |
match=MatchValue |
The password encryption key and encrypted password files must contain the same match value. The match values are compared to ensure that the two specified files are related to each other, serving as a "sanity check" to help avoid configuration errors. This property is required. |
password=HexDigits |
This value is the encrypted password, encoded as hex digits. This property is required. |
params=HexDigits |
This value contains the cipher algorithm parameters, if any, encoded as hex digits. Some ciphers need algorithm parameters that cannot be derived from the key, such as an initialization vector. This property is optional, depending on whether the cipher algorithm has associated parameters. |
hash=HexDigits |
This value is the expected message authentication code (MAC), encoded as hex digits. After encryption, the expected MAC is calculated using the ciphertext, transformation name, and algorithm parameters if any. Before decryption, the driver calculates the MAC using the ciphertext, transformation name, and algorithm parameters if any, and verifies that the calculated MAC matches the expected MAC. If the calculated MAC differs from the expected MAC, then either or both of the files may have been tampered with. This property is required. |
While params is technically optional, an initialization vector is required by all three block cipher modes CBC, CFB, and OFB that are supported by the driver. ECB (Electronic Codebook) does not require params, but ECB is not supported by the driver.
A transformation is a string that describes the set of operations to be performed on the given input, to produce transformed output. A transformation specifies the name of a cryptographic algorithm such AES, followed by a feedback mode and padding scheme.
The driver supports the following transformations and key sizes.
| Transformation | Key Size |
|---|---|
AES/CBC/NoPadding |
128 |
AES/CBC/NoPadding |
192 |
AES/CBC/NoPadding |
256 |
AES/CBC/PKCS5Padding |
128 |
AES/CBC/PKCS5Padding |
192 |
AES/CBC/PKCS5Padding |
256 |
AES/CFB/NoPadding |
128 |
AES/CFB/NoPadding |
192 |
AES/CFB/NoPadding |
256 |
AES/CFB/PKCS5Padding |
128 |
AES/CFB/PKCS5Padding |
192 |
AES/CFB/PKCS5Padding |
256 |
AES/OFB/NoPadding |
128 |
AES/OFB/NoPadding |
192 |
AES/OFB/NoPadding |
256 |
AES/OFB/PKCS5Padding |
128 |
AES/OFB/PKCS5Padding |
192 |
AES/OFB/PKCS5Padding |
256 |
Stored Password Protection uses a symmetric encryption algorithm such as AES, in which the same secret key is used for encryption and decryption of the password. Stored Password Protection does not use an asymmetric encryption algorithm such as RSA, with separate public and private keys.
CBC (Cipher Block Chaining) is a block cipher encryption mode. With CBC, each ciphertext block is dependent on all plaintext blocks processed up to that point. CBC is suitable for encrypting data whose total byte count exceeds the algorithm's block size, and is therefore suitable for use with Stored Password Protection.
Stored Password Protection hides the password length in the encrypted password file by extending the length of the UTF8-encoded password with trailing null bytes. The length is extended to the next 512-byte boundary.
- A block cipher with no padding, such as
AES/CBC/NoPadding, may only be used to encrypt data whose byte count after extension is a multiple of the algorithm's block size. The 512-byte boundary is compatible with many block ciphers. AES, for example, has a block size of 128 bits (16 bytes), and is therefore compatible with the 512-byte boundary. - A block cipher with padding, such as
AES/CBC/PKCS5Padding, can be used to encrypt data of any length. However, CBC with padding is vulnerable to a "padding oracle attack", so Stored Password Protection performs Encrypt-then-MAC for protection from a padding oracle attack. MAC algorithmsHmacSHA1andHmacSHA256are supported. - The driver does not support block ciphers used as byte-oriented ciphers via modes such as
CFB8orOFB8.
The strength of the encryption depends on your choice of cipher algorithm and key size.
- AES uses a 128-bit (16 byte), 192-bit (24 byte), or 256-bit (32 byte) key.
This driver and the Teradata JDBC Driver can share the files containing the password encryption key and encrypted password, if you use a transformation, key size, and MAC algorithm that is supported by both drivers.
- Recommended choices for compatibility are
AES/CBC/NoPaddingandHmacSHA256. - Use a 256-bit key if your Java environment has the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle.
- Use a 128-bit key if your Java environment does not have the Unlimited Strength Jurisdiction Policy Files.
- Use
HmacSHA1for compatibility with JDK 1.4.2.
For the ENCRYPTED_PASSWORD( syntax of the driver, each filename must be preceded by the file: prefix.
The PasswordEncryptionKeyFileName must be separated from the EncryptedPasswordFileName by a single comma. The files can be located in the current directory, specified with a relative path, or specified with an absolute path.
Example for files in the current directory:
ENCRYPTED_PASSWORD(file:JohnDoeKey.properties,file:JohnDoePass.properties)
Example with relative paths:
ENCRYPTED_PASSWORD(file:../dir1/JohnDoeKey.properties,file:../dir2/JohnDoePass.properties)
Example with absolute paths on Windows:
ENCRYPTED_PASSWORD(file:c:/dir1/JohnDoeKey.properties,file:c:/dir2/JohnDoePass.properties)
Example with absolute paths on Linux:
ENCRYPTED_PASSWORD(file:/dir1/JohnDoeKey.properties,file:/dir2/JohnDoePass.properties)
The two filenames specified for an encrypted password must be accessible to the driver and must conform to the properties file formats described above. The driver raises an exception if the file is not accessible, or the file does not conform to the required file format.
The driver verifies that the match values in the two files are present, and match each other. The driver raises an exception if the match values differ from each other. The match values are compared to ensure that the two specified files are related to each other, serving as a "sanity check" to help avoid configuration errors. The TJEncryptPassword program uses a timestamp as a shared match value, but a timestamp is not required. Any shared string can serve as a match value. The timestamp is not related in any way to the encryption of the password, and the timestamp cannot be used to decrypt the password.
Before decryption, the driver calculates the MAC using the ciphertext, transformation name, and algorithm parameters if any, and verifies that the calculated MAC matches the expected MAC. The driver raises an exception if the calculated MAC differs from the expected MAC, to indicate that either or both of the files may have been tampered with.
Finally, the driver uses the decrypted password to log on to the database.