[jira] [Assigned] (RANGER-3216) Use an outdated Key Derivation Function "PBEWithMD5AndTripleDES"

Wed, 27 Nov 2024 22:46:24 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vikas Kumar reassigned RANGER-3216:
-----------------------------------

    Assignee: Vikas Kumar

> Use an outdated Key Derivation Function "PBEWithMD5AndTripleDES"
> ----------------------------------------------------------------
>
>                 Key: RANGER-3216
>                 URL: https://issues.apache.org/jira/browse/RANGER-3216
>             Project: Ranger
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Ya Xiao
>            Assignee: Vikas Kumar
>            Priority: Major
>
> *Description:*
> **We ** found a security vulnerability in File 
> [ranger/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java].]].
>  An outdated password-based key derivation function "PBEWithMD5AndTripleDES" 
> is used at Line 302 and 314. It produces a cryptographic key for Triple-DES 
> cipher algorithm from the password. However, the Triple-DES is retired and 
> not strong enough.
> *Security Impact**:*
> **Triple DES is an outdated cipher algorithm. Its effective key length is 112 
> bits, which is weaker than AES-128. Its short block size (64 bits) makes it 
> more vulnerable to attacks like 
> [Sweet32|https://beaglesecurity.com/blog/vulnerability/sweet32-attack.html#:~:text=The%20Sweet32%20is%20an%20attack,recover%20small%20portions%20of%20plaintext.].
> *Useful Resources**:*
> [https://cwe.mitre.org/data/definitions/327.html]
> [https://www.cvedetails.com/cve/CVE-2016-2183/]
> [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
> *Solution we suggest:***
> **Replace Triple DES to AES. Replace the "PBEWithMD5AndTripleDES" to 
> "PBEWithHmacSHA256AndAES_128"
> *Please share with us your opinions/comments if there is any:*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to