17.10 - Example: tdgssauth Wrap and Unwrap - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The example shows wrapping a string to protect it with a signature. Run:

tdgssauth -u userconfhigh -m td2 -i 198.51.100.20 -T "this is a test"

The user's name (-u) is the same as it is specified in a bteq .logon command. The -m option specifies the logon mechanism to use (TD2 in this case). The -i option specifies the IP address from which the user will connect. -T wraps and unwraps the string.

Result:

 Status: not authenticated, not authorized
     Actual mechanism employed: TD2 [OID 1.3.6.1.4.1.191.1.1012.1.1.9]

 Security context capabilities: replay detection
                                out of sequence detection
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

 Minimum quality of protection: 3 (High) with confidentiality and integrity
                       Options: none

          String to be wrapped: this is a test
                Requesting QoP: 3 (High)
    Requesting Confidentiality: yes

Wrapped text (by client side):
  00000000: ff 6e 79 ed f9 b3 fa 42 ee 79 3e c1 b0 7a af ab *.ny....B.y>..z..*
  00000010: e9 ce 82 c5 3e bd 49 e3 a6 70 95 ab 42 9a 95 6b *....>.I..p..B..k*
  00000020: d2 1b 2a 8e c6 f1 04 91 24 78 5d 50 e5 8b 69 8a *..*.....$x]P..i.*
  00000030: 86 2a 0f ab 75 f6 3d 7e 19 14 3f d3 35 6d 77 74 *.*..u.=~..?.5mwt*
  00000040: 03 07 04 03 00 00 00 40 00 00 00 00 00 00 00 01 *.......@........*

Unwrapped text (by server side):
  00000000: 74 68 69 73 20 69 73 20 61 20 74 65 73 74       *this is a test*

            Actual QoP applied: 3 (High)
       Confidentiality applied: yes

Wrapped text (by server side):
  00000000: d9 f0 77 7b 1a 9c 75 2e 3e 65 6e 75 ee 9a 07 33 *..w{..u.>enu...3*
  00000010: a5 b3 f0 8e 04 3e 24 15 a8 6e b8 29 97 68 43 c5 *.....>$..n.).hC.*
  00000020: 4f dc f3 d5 14 70 9d e1 27 38 9a de 50 3c 95 fd *O....p..'8..P<..*
  00000030: 8d cf 2f e9 b1 ed 77 18 aa ca 53 7d 05 61 50 dc *../...w...S}.aP.*
  00000040: 03 07 84 03 00 00 00 40 00 00 00 00 00 00 00 01 *.......@........*

Unwrapped text (by client side):
  00000000: 74 68 69 73 20 69 73 20 61 20 74 65 73 74       *this is a test*

            Actual QoP applied: 3 (High)
       Confidentiality applied: yes

The -T option specifies a string to wrap and unwrap. Wrapping causes the text to be protected with a signature and to optionally be encrypted (see the -c and -e options in Using tdgssauth Syntax). The tool will use the QoP configured for the session when invoking the wrap function in TDGSS. In this case, the client side wrapped the message and turned it into an 80-byte string. The 80-byte string is passed to the server side of TDGSS and requests the server side to unwrap the string back to the original string. The server then wraps the string it unwrapped and generates a different 80-byte string. The client unwraps the string from the server side back to the original string.

The -T option can be used with any mechanism and any number of -T options may be specified.