[jira] [Commented] (KAFKA-12306) Avoid using plaintext/hard-coded key while generating secret key

Sun, 07 Feb 2021 20:20:07 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-12306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280744#comment-17280744
 ] 

GeordieMai commented on KAFKA-12306:
------------------------------------

[~Vicky Zhang] hello . 
I think the hard-coded text `Password` is just a hint message . 

you can see here .
https://github.com/a0x8o/kafka/blob/88ad7d1b7f816ddce65c3b4fa188c4781fe75b67/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientCallbackHandler.java#L68

> Avoid using plaintext/hard-coded key while generating secret key 
> -----------------------------------------------------------------
>
>                 Key: KAFKA-12306
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12306
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients
>            Reporter: Vicky Zhang
>            Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical 
> study about the usefulness of the existing security vulnerability detection 
> tools. The following is a reported vulnerability by certain tools. We'll so 
> appreciate it if you can give any feedback on it.
> *Security Location:* 
> in file 
> kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramFormatter.java
>  line 58 and 76, new SecretKeySpec(key, algorithm) is invoked with hard-code 
> key, which is defined in file 
> kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java
>   line 127 -> 189.
> *Security Impact:* 
> Cryptographic keys should not be kept in the source code. The source code can 
> be widely shared in an enterprise environment and is certainly shared in open 
> source. The use of a hard-coded cryptographic key significantly increases the 
> possibility that encrypted data may be recovered.
> *suggestions:*
> To be managed safely, passwords and secret keys should be stored in separate 
> configuration files. 
> Useful link:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://www.appmarq.com/public/tqi,1039028,CWE-327-Avoid-weak-encryption-providing-not-sufficient-key-size-JEE]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to