[jira] [Commented] (RANGER-1644) Change the default Crypt Algo to use stronger cryptographic algo.

Endre Kovacs (JIRA) Sat, 16 Dec 2017 01:57:38 -0800

    [ 
https://issues.apache.org/jira/browse/RANGER-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16293740#comment-16293740
 ]


Endre Kovacs commented on RANGER-1644:
--------------------------------------

as I revisited this patch, I realized, that my patch presumes JDK8 with all the 
good/strong PBE algorithms.
after making sure that i am using a java 7, and ran the tests I got: 
{code}
Cannot find any provider supporting PBEWITHHMACSHA512ANDAES_128
{code}
meanwhile running it with JAVA 8 gave me no errors.
checking the docs for java security 
(https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider),
 it turned out that PBEWithMD5AndDES are the best option on Java 7 for 
*P*assword*B*ased*E*ncryption.

meanwhile in JAVA 8 the docs 
(https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJCEProvider)
 shows quite a few PBE algorithms that are more secure.
{code}
PBEWithHmacSHA1AndAES_128
PBEWithHmacSHA224AndAES_128
PBEWithHmacSHA256AndAES_128
PBEWithHmacSHA384AndAES_128
PBEWithHmacSHA512AndAES_128
PBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512AndAES_256
{code}

thus my question arise: should we impose the requirement of JDK8 (and possibly 
installing of  JCE Unlimited Strength Jurisdiction Policy Files for even 
stronger key length support) or not impose JDK8, stay with JDK7 where there is 
no stronger PBE algorithm, and close this ticket, until JDK8 is required for 
running ranger, where we have access all the good/strong algorithms?

> Change the default Crypt Algo to use stronger cryptographic algo. 
> ------------------------------------------------------------------
>
>                 Key: RANGER-1644
>                 URL: https://issues.apache.org/jira/browse/RANGER-1644
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Selvamohan Neethiraj
>            Assignee: Endre Kovacs
>            Priority: Critical
>             Fix For: 1.0.0
>
>         Attachments: 
> 0001-RANGER-1644-replacing-MD5-DES-with-SHA512-AES128.patch
>
>
> Change the default crypt algorithm to use a stronger cipher algorithm



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (RANGER-1644) Change the default Crypt Algo to use stronger cryptographic algo.

Reply via email to