[
https://issues.apache.org/jira/browse/HBASE-30158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Balazs Meszaros updated HBASE-30158:
------------------------------------
Description:
To maintain {*}FIPS 140-3 compliance{*}, the use of insecure hash algorithms
like SHA-1 and MD5 is strictly prohibited for cryptographic purposes. While
these algorithms remain permissible for non-security functions, robust
collision handling is essential.
We have identified specific scenarios where HBase fails to adequately handle
collisions, which could be exploited using tools such as
[fastcoll|https://github.com/brimstone/fastcoll] or
[hashclash|https://github.com/cr-marcstevens/hashclash].
was:
To maintain {*}FIPS 140-3 compliance{*}, the use of insecure hash algorithms
like SHA-1 and MD5 is strictly prohibited for cryptographic purposes. While
these algorithms remain permissible for non-security functions, robust
collision handling is essential.
We have identified specific scenarios where HBase fails to adequately handle
collisions, which could be exploited using tools such as
[fastcoll|https://github.com/brimstone/fastcoll].
> Reduce MD5 usage across the codebase
> ------------------------------------
>
> Key: HBASE-30158
> URL: https://issues.apache.org/jira/browse/HBASE-30158
> Project: HBase
> Issue Type: New Feature
> Reporter: Balazs Meszaros
> Priority: Major
>
> To maintain {*}FIPS 140-3 compliance{*}, the use of insecure hash algorithms
> like SHA-1 and MD5 is strictly prohibited for cryptographic purposes. While
> these algorithms remain permissible for non-security functions, robust
> collision handling is essential.
> We have identified specific scenarios where HBase fails to adequately handle
> collisions, which could be exploited using tools such as
> [fastcoll|https://github.com/brimstone/fastcoll] or
> [hashclash|https://github.com/cr-marcstevens/hashclash].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
