Example: tdgssauth Wrap and Unwrap - Advanced SQL Engine

Example: tdgssauth Wrap and Unwrap - Advanced SQL Engine - Teradata Database

Security Administration

Product

Advanced SQL Engine

Teradata Database

Release Number

17.05

17.00

Published

September 2020

Language

English (United States)

Last Update

2021-01-23

dita:mapPath

ied1556235912841.ditamap

dita:ditavalPath

lze1555437562152.ditaval

dita:id

B035-1100

lifecycle

Product Category

Teradata Vantage™

The example shows wrapping a string to protect it with a signature. Run:

tdgssauth -u userconfhigh -m td2 -i 198.51.100.20 -T "this is a test"

The user's name (-u) is the same as it is specified in a bteq .logon command. The -m option specifies the logon mechanism to use (TD2 in this case). The -i option specifies the IP address from which the user will connect. -T wraps and unwraps the string.

Result:

 Status: not authenticated, not authorized
     Actual mechanism employed: TD2 [OID 1.3.6.1.4.1.191.1.1012.1.1.9]

 Security context capabilities: replay detection
                                out of sequence detection
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

 Minimum quality of protection: 3 (High) with confidentiality and integrity
                       Options: none

          String to be wrapped: this is a test
                Requesting QoP: 3 (High)
    Requesting Confidentiality: yes

Wrapped text (by client side):
  00000000: ff 6e 79 ed f9 b3 fa 42 ee 79 3e c1 b0 7a af ab *.ny....B.y>..z..*
  00000010: e9 ce 82 c5 3e bd 49 e3 a6 70 95 ab 42 9a 95 6b *....>.I..p..B..k*
  00000020: d2 1b 2a 8e c6 f1 04 91 24 78 5d 50 e5 8b 69 8a *..*.....$x]P..i.*
  00000030: 86 2a 0f ab 75 f6 3d 7e 19 14 3f d3 35 6d 77 74 *.*..u.=~..?.5mwt*
  00000040: 03 07 04 03 00 00 00 40 00 00 00 00 00 00 00 01 *.......@........*

Unwrapped text (by server side):
  00000000: 74 68 69 73 20 69 73 20 61 20 74 65 73 74       *this is a test*

            Actual QoP applied: 3 (High)
       Confidentiality applied: yes

Wrapped text (by server side):
  00000000: d9 f0 77 7b 1a 9c 75 2e 3e 65 6e 75 ee 9a 07 33 *..w{..u.>enu...3*
  00000010: a5 b3 f0 8e 04 3e 24 15 a8 6e b8 29 97 68 43 c5 *.....>$..n.).hC.*
  00000020: 4f dc f3 d5 14 70 9d e1 27 38 9a de 50 3c 95 fd *O....p..'8..P<..*
  00000030: 8d cf 2f e9 b1 ed 77 18 aa ca 53 7d 05 61 50 dc *../...w...S}.aP.*
  00000040: 03 07 84 03 00 00 00 40 00 00 00 00 00 00 00 01 *.......@........*

Unwrapped text (by client side):
  00000000: 74 68 69 73 20 69 73 20 61 20 74 65 73 74       *this is a test*

            Actual QoP applied: 3 (High)
       Confidentiality applied: yes

The -T option specifies a string to wrap and unwrap. Wrapping causes the text to be protected with a signature and to optionally be encrypted (see the -c and -e options in Using tdgssauth Syntax). The tool will use the QoP configured for the session when invoking the wrap function in TDGSS. In this case, the client side wrapped the message and turned it into an 80-byte string. The 80-byte string is passed to the server side of TDGSS and requests the server side to unwrap the string back to the original string. The server then wraps the string it unwrapped and generates a different 80-byte string. The client unwraps the string from the server side back to the original string.

The -T option can be used with any mechanism and any number of -T options may be specified.