Password encryption mechanism for ODBC client application users.

Connectivity
Enthusiast

Password encryption mechanism for ODBC client application users.

Hi All,

Can someone help me to understand more about password encryption with respect to ODBC client applications. As far as I know, password will be encrypted and stored in the database table by default. But, I've seen an option 'gtwcontrol' which needs to be set as 'YES' at gtw cotrol utility to enable password encryption. As the password encrypted and stored in TD tables by default for ODBC client application users what is the advantage of this gtwcontrol option? please clarify.

Thanks & Regards,

Srini. 

5 REPLIES
Teradata Employee

Re: Password encryption mechanism for ODBC client application users.

Are you referring to gtwcontrol option -b "AllowDeprecatedLogons" ?

That option is obsolete, and has been gone from the Teradata Database for the past several years.

Teradata Database 12.0 was the last Teradata Database release that supported that option.

Enthusiast

Re: Password encryption mechanism for ODBC client application users.

Hi,

Thanks for the update. But, I've seen following statement in 'ODBC Driver for Teradata 14.10' user guide 

under section Password Encryption:

Logon encryption is used automatically if the server for the application supports the feature. This is not a user-defined setting at the client level, but the feature can be set as a gateway option using the GTW control utility.

From the above statement, I undestood that this feature needs to be set (enable/disable) using GTW control utility to encrypt the password.

My question is, if the password is encrypted and storing in the corresponding TD tables by default (without setting any options), then wat is the use of setting the feature as agateway option using GTW control utility?

Please clarify.

Regards,

Srini.

Teradata Employee

Re: Password encryption mechanism for ODBC client application users.

>>> the feature can be set as a gateway option using the GTW control utility.

That sentence is applicable to Teradata Database 12.0 and earlier releases.

That sentence is not applicable to Teradata Database 13.0 and later releases, for which logon encryption is mandatory.

Teradata Employee

Re: Password encryption mechanism for ODBC client application users.

Re: the original question

The gtwcontrol option (in older releases) applies to encryption "over the wire" when the logon request is sent from the client to the database.

Teradata Employee

Re: Password encryption mechanism for ODBC client application users.

Fred is correct that the gtwcontrol option -b "AllowDeprecatedLogons" in Teradata Database 12.0 and earlier releases applied to encryption over the wire for the messages exchanged between the client and the database during the logon process. The gtwcontrol option -b was completely unrelated to password storage on disk.

Regarding this assertion: "if the password is encrypted and storing in the corresponding TD tables"

That is not correct. The Teradata Database does not store passwords in a reversible encrypted form on disk. Instead, password hashes are stored on disk.

Here is the relevant excerpt from the Teradata Database 15.0 Security Administration book / Chapter 9 Encryption / section Acount Password Encryption...

Teradata Database Passwords Stored in the Database

Teradata Database stores user passwords in the database in cryptographically hashed form, using SHA-256 (256-bit) hashes.