@@ -755,126 +755,132 @@ Database encryption is meant for securing the database while it is not in use (s
File encryption slows down the performance of the database engine. Compared to unencrypted mode, database operations take about 2.2 times longer when using XTEA, and 2.5 times longer using AES (embedded mode).
@advanced_1252_h3
SSL/TLS Connections
Wrong Password Delay
@advanced_1253_p
Remote SSL/TLS connections are supported using the Java Secure Socket Extension (SSLServerSocket / SSLSocket). By default, anonymous SSL is enabled. The default cipher suite is <code>SSL_DH_anon_WITH_RC4_128_MD5</code> .
To protect against remote brute force password attacks, the delay after each unsuccessful login gets double as long. Use the system properties h2.delayWrongPasswordMin and h2.delayWrongPasswordMax to change the minimum (the default is 250 milliseconds) or maximum delay (the default is 4000 milliseconds, or 4 seconds). The delay only applies for those using the wrong password. Normally there is no delay for a user that knows the correct password, with one exception: after using the wrong password, there is a delay of up (randomly distributed) the same delay as for a wrong password. This is to protect against parallel brute force attacks, so that an attacker needs to wait for the whole delay. Delays are synchronized. This is also required to protect against parallel attacks.
@advanced_1254_h3
HTTPS Connections
SSL/TLS Connections
@advanced_1255_p
Remote SSL/TLS connections are supported using the Java Secure Socket Extension (SSLServerSocket / SSLSocket). By default, anonymous SSL is enabled. The default cipher suite is <code>SSL_DH_anon_WITH_RC4_128_MD5</code> .
@advanced_1256_h3
HTTPS Connections
@advanced_1257_p
The web server supports HTTP and HTTPS connections using SSLServerSocket. There is a default self-certified certificate to support an easy starting point, but custom certificates are supported as well.
@advanced_1256_h2
@advanced_1258_h2
Universally Unique Identifiers (UUID)
@advanced_1257_p
@advanced_1259_p
This database supports the UUIDs. Also supported is a function to create new UUIDs using a cryptographically strong pseudo random number generator. With random UUIDs, the chance of two having the same value can be calculated using the probability theory. See also 'Birthday Paradox'. Standardized randomly generated UUIDs have 122 random bits. 4 bits are used for the version (Randomly generated UUID), and 2 bits for the variant (Leach-Salz). This database supports generating such UUIDs using the built-in function RANDOM_UUID(). Here is a small program to estimate the probability of having two identical UUIDs after generating a number of values:
@advanced_1258_p
@advanced_1260_p
Some values are:
@advanced_1259_p
@advanced_1261_p
To help non-mathematicians understand what those numbers mean, here a comparison: One's annual risk of being hit by a meteorite is estimated to be one chance in 17 billion, that means the probability is about 0.000'000'000'06.
@advanced_1260_h2
@advanced_1262_h2
Settings Read from System Properties
@advanced_1261_p
@advanced_1263_p
Some settings of the database can be set on the command line using -DpropertyName=value. It is usually not required to change those settings manually. The settings are case sensitive. Example:
@advanced_1262_p
@advanced_1264_p
The current value of the settings can be read in the table INFORMATION_SCHEMA.SETTINGS.
@advanced_1263_p
@advanced_1265_p
For a complete list of settings, see <a href="../javadoc/org/h2/constant/SysProperties.html">SysProperties</a> .
@advanced_1264_h2
@advanced_1266_h2
Setting the Server Bind Address
@advanced_1265_p
@advanced_1267_p
Usually server sockets accept connections on any/all local addresses. This may be a problem on multi-homed hosts. To bind only to one address, use the system property h2.bindAddress. This setting is used for both regular server sockets and for SSL server sockets. IPv4 and IPv6 address formats are supported.
@advanced_1266_h2
@advanced_1268_h2
Glossary and Links
@advanced_1267_th
@advanced_1269_th
Term
@advanced_1268_th
@advanced_1270_th
Description
@advanced_1269_td
@advanced_1271_td
AES-128
@advanced_1270_td
@advanced_1272_td
A block encryption algorithm. See also: <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">Wikipedia: AES</a>
@advanced_1271_td
@advanced_1273_td
Birthday Paradox
@advanced_1272_td
@advanced_1274_td
Describes the higher than expected probability that two persons in a room have the same birthday. Also valid for randomly generated UUIDs. See also: <a href="http://en.wikipedia.org/wiki/Birthday_paradox">Wikipedia: Birthday Paradox</a>
@advanced_1273_td
@advanced_1275_td
Digest
@advanced_1274_td
@advanced_1276_td
Protocol to protect a password (but not to protect data). See also: <a href="http://www.faqs.org/rfcs/rfc2617.html">RFC 2617: HTTP Digest Access Authentication</a>
@advanced_1275_td
@advanced_1277_td
GCJ
@advanced_1276_td
@advanced_1278_td
GNU Compiler for Java. <a href="http://gcc.gnu.org/java/">http://gcc.gnu.org/java/</a> and <a href="http://nativej.mtsystems.ch">http://nativej.mtsystems.ch/ (not free any more)</a>
@advanced_1277_td
@advanced_1279_td
HTTPS
@advanced_1278_td
@advanced_1280_td
A protocol to provide security to HTTP connections. See also: <a href="http://www.ietf.org/rfc/rfc2818.txt">RFC 2818: HTTP Over TLS</a>
@advanced_1279_td
@advanced_1281_td
Modes of Operation
@advanced_1280_a
@advanced_1282_a
Wikipedia: Block cipher modes of operation
@advanced_1281_td
@advanced_1283_td
Salt
@advanced_1282_td
@advanced_1284_td
Random number to increase the security of passwords. See also: <a href="http://en.wikipedia.org/wiki/Key_derivation_function">Wikipedia: Key derivation function</a>
@advanced_1283_td
@advanced_1285_td
SHA-256
@advanced_1284_td
@advanced_1286_td
A cryptographic one-way hash function. See also: <a href="http://en.wikipedia.org/wiki/SHA_family">Wikipedia: SHA hash functions</a>
@advanced_1285_td
@advanced_1287_td
SQL Injection
@advanced_1286_td
@advanced_1288_td
A security vulnerability where an application generates SQL statements with embedded user input. See also: <a href="http://en.wikipedia.org/wiki/SQL_injection">Wikipedia: SQL Injection</a>
@advanced_1287_td
@advanced_1289_td
Watermark Attack
@advanced_1288_td
@advanced_1290_td
Security problem of certain encryption programs where the existence of certain data can be proven without decrypting. For more information, search in the internet for 'watermark attack cryptoloop'
@advanced_1289_td
@advanced_1291_td
SSL/TLS
@advanced_1290_td
@advanced_1292_td
Secure Sockets Layer / Transport Layer Security. See also: <a href="http://java.sun.com/products/jsse/">Java Secure Socket Extension (JSSE)</a>
@advanced_1291_td
@advanced_1293_td
XTEA
@advanced_1292_td
@advanced_1294_td
A block encryption algorithm. See also: <a href="http://en.wikipedia.org/wiki/XTEA">Wikipedia: XTEA</a>
@build_1000_h1
...
...
@@ -7415,7 +7421,7 @@ When using Java Web Start / JNLP (Java Network Launch Protocol), permissions tag
Using a Connection Pool
@tutorial_1179_p
For many databases, opening a connection is slow, and it is a good idea to use a connection pool to re-use connections. For H2 however opening a connection usually is fast if the database is already open. Using a connection pool manager for H2 actually slows down the process a bit, except if file encryption is used (in this case opening a connection is about half as fast as using a connection pool). A simple connection pool manager is included in H2. It is based on the <a href="http://www.source-code.biz/snippets/java/8.htm">Mini Connection Pool Manager</a> from Christian d'Heureuse. There are other, more complex connection pools available, for example <a href="http://jakarta.apache.org/commons/dbcp/">DBCP</a> . The build-in connection pool manager is used as follows:
For many databases, opening a connection is slow, and it is a good idea to use a connection pool to re-use connections. For H2 however opening a connection usually is fast if the database is already open. Using a connection pool for H2 actually slows down the process a bit, except if file encryption is used (in this case opening a connection is about half as fast as using a connection pool). A simple connection pool is included in H2. It is based on the <a href="http://www.source-code.biz/snippets/java/8.htm">Mini Connection Pool Manager</a> from Christian d'Heureuse. There are other, more complex connection pools available, for example <a href="http://jakarta.apache.org/commons/dbcp/">DBCP</a> . The build-in connection pool is used as follows:
> SELECT A.ID, B.ID, C.ID FROM PUBLIC.TEST A /* PUBLIC.TEST_TABLE_SCAN */ INNER JOIN PUBLIC.TEST B /* PUBLIC.TEST_TABLE_SCAN */ LEFT OUTER JOIN PUBLIC.TEST C /* PUBLIC.PRIMARY_KEY_2: ID = A.ID */ ON C.ID = A.ID
> SELECT A.ID, C.ID, B.ID FROM PUBLIC.TEST A /* PUBLIC.TEST_TABLE_SCAN */ LEFT OUTER JOIN PUBLIC.TEST C /* PUBLIC.PRIMARY_KEY_2: ID = A.ID */ ON C.ID = A.ID INNER JOIN PUBLIC.TEST B /* PUBLIC.TEST_TABLE_SCAN */
