Ya Xiao created RANGER-3216:
-------------------------------
Summary: Use an outdated Key Derivation Function
"PBEWithMD5AndTripleDES"
Key: RANGER-3216
URL: https://issues.apache.org/jira/browse/RANGER-3216
Project: Ranger
Issue Type: Improvement
Components: kms
Reporter: Ya Xiao
*Description:*
**We ** found a security vulnerability in File
[ranger/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java].]].
An outdated password-based key derivation function "PBEWithMD5AndTripleDES" is
used at Line 302 and 314. It produces a cryptographic key for Triple-DES cipher
algorithm from the password. However, the Triple-DES is retired and not strong
enough.
*Security Impact**:*
**Triple DES is an outdated cipher algorithm. Its effective key length is 112
bits, which is weaker than AES-128. Its short block size (64 bits) makes it
more vulnerable to attacks like
[Sweet32|https://beaglesecurity.com/blog/vulnerability/sweet32-attack.html#:~:text=The%20Sweet32%20is%20an%20attack,recover%20small%20portions%20of%20plaintext.].
*Useful Resources**:*
[https://cwe.mitre.org/data/definitions/327.html]
[https://www.cvedetails.com/cve/CVE-2016-2183/]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
*Solution we suggest:***
**Replace Triple DES to AES. Replace the "PBEWithMD5AndTripleDES" to
"PBEWithHmacSHA256AndAES_128"
*Please share with us your opinions/comments if there is any:*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
