[jira] [Commented] (PHOENIX-4702) MD5 Hash Algorithm in Phoenix which is insecure and easily cracked

Thu, 26 Apr 2018 15:57:27 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-4702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16455509#comment-16455509
 ] 

Geoffrey Jacoby commented on PHOENIX-4702:
------------------------------------------

MD5 is obsolete as a _cryptographic_ hash. There are many reasons to use 
hashing, and quite a few of them have nothing to do with encryption or 
cryptography. 

>From a cursory check through Phoenix code, I see two uses of MD5. 
 # An "MD5" SQL function that allows users to generate MD5 fingerprints of 
columns
 # To compare columns of primary and index tables against each other in the 
index scrutiny tool.

Neither of these needs a cryptographic hash, though adding a SHA256() function, 
or a more general HASH() function that takes in an algorithm as a parameter, 
might be a useful feature. 

[~rvskoundinya] - has your analysis found a case where we're relying on MD5 as 
a cryptographic hash?

 

> MD5 Hash Algorithm in Phoenix which is insecure and easily cracked
> ------------------------------------------------------------------
>
>                 Key: PHOENIX-4702
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4702
>             Project: Phoenix
>          Issue Type: Improvement
>    Affects Versions: 4.7.0
>            Reporter: Koundinya Ravulapati
>            Priority: Major
>              Labels: Encryption, Phoenix, Security, hashing
>
> Hi Team,
> We have ran a security check on 
> compile group: 'org.apache.phoenix', name: 'phoenix', version: 
> '4.7.0-CLABS-1.3.0', classifier: 'client-minimal'
> and our security scan has reveled that phoenix is using a week encryption MD5 
> like
> digest = java.security.MessageDigest.getInstance("MD5")
> The hashing algorithm used, MD5, has been found by researchers to be unsafe 
> for protecting sensitive data with today's technology.
> I have checked the [https://github.com/apache/phoenix/tree/4.7.0-HBase-1.1] 
> and also other versions it is still having the same algorithm. Is Phoenix 
> team considering to use more stronger algorithm like SHA-256. Can you please 
> let us know if this is already available any new versions of phoenix or in 
> which version can this be made available if team is working on it. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to