All Forums Connectivity
SriniD 25 posts Joined 02/14
23 Mar 2015
Password encryption mechanism for ODBC client application users.

Hi All,
Can someone help me to understand more about password encryption with respect to ODBC client applications. As far as I know, password will be encrypted and stored in the database table by default. But, I've seen an option 'gtwcontrol' which needs to be set as 'YES' at gtw cotrol utility to enable password encryption. As the password encrypted and stored in TD tables by default for ODBC client application users what is the advantage of this gtwcontrol option? please clarify.
 
Thanks & Regards,
Srini. 
 

tomnolan 594 posts Joined 01/08
23 Mar 2015

Are you referring to gtwcontrol option -b "AllowDeprecatedLogons" ?
 
That option is obsolete, and has been gone from the Teradata Database for the past several years.
 
Teradata Database 12.0 was the last Teradata Database release that supported that option.

SriniD 25 posts Joined 02/14
24 Mar 2015

Hi,
Thanks for the update. But, I've seen following statement in 'ODBC Driver for Teradata 14.10' user guide 
under section Password Encryption:
Logon encryption is used automatically if the server for the application supports the feature. This is not a user-defined setting at the client level, but the feature can be set as a gateway option using the GTW control utility.
From the above statement, I undestood that this feature needs to be set (enable/disable) using GTW control utility to encrypt the password.
My question is, if the password is encrypted and storing in the corresponding TD tables by default (without setting any options), then wat is the use of setting the feature as agateway option using GTW control utility?
 
Please clarify.
 
Regards,
Srini.
 

tomnolan 594 posts Joined 01/08
24 Mar 2015

>>> the feature can be set as a gateway option using the GTW control utility.
 
That sentence is applicable to Teradata Database 12.0 and earlier releases.
 
That sentence is not applicable to Teradata Database 13.0 and later releases, for which logon encryption is mandatory.

Fred 1096 posts Joined 08/04
24 Mar 2015

Re: the original question
The gtwcontrol option (in older releases) applies to encryption "over the wire" when the logon request is sent from the client to the database.
 

tomnolan 594 posts Joined 01/08
24 Mar 2015

Fred is correct that the gtwcontrol option -b "AllowDeprecatedLogons" in Teradata Database 12.0 and earlier releases applied to encryption over the wire for the messages exchanged between the client and the database during the logon process. The gtwcontrol option -b was completely unrelated to password storage on disk.
 
Regarding this assertion: "if the password is encrypted and storing in the corresponding TD tables"
 
That is not correct. The Teradata Database does not store passwords in a reversible encrypted form on disk. Instead, password hashes are stored on disk.
 
Here is the relevant excerpt from the Teradata Database 15.0 Security Administration book / Chapter 9 Encryption / section Acount Password Encryption...
 
Teradata Database Passwords Stored in the Database
 
Teradata Database stores user passwords in the database in cryptographically hashed form, using SHA-256 (256-bit) hashes.
 

You must sign in to leave a comment.