[
https://issues.apache.org/jira/browse/KAFKA-3987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17930539#comment-17930539
]
jeri jose commented on KAFKA-3987:
----------------------------------
To align with FIPS 140-3 compliance requirements, MD5 should be replaced with a
FIPS-approved cryptographic algorithm. The Kafka log cleaner currently enforces
MD5 as the default hash algorithm in SkimpyOffsetMap, even though
SkimpyOffsetMap already supports alternatives like SHA-256.
Since FIPS 140-3 mandates stronger cryptographic standards, updating the
default hash algorithm to a FIPS-compliant option ensures better security and
regulatory compliance while still allowing users to override it if needed.
[GitHub Pull Request #19035|https://github.com/apache/kafka/pull/19035]
> Allow configuration of the hash algorithm used by the LogCleaner's offset map
> -----------------------------------------------------------------------------
>
> Key: KAFKA-3987
> URL: https://issues.apache.org/jira/browse/KAFKA-3987
> Project: Kafka
> Issue Type: Improvement
> Components: config
> Reporter: Luciano Afranllie
> Priority: Major
> Labels: needs-kip
>
> In order to be able to do deployments of Kafka that are FIPS 140-2
> (https://en.wikipedia.org/wiki/FIPS_140-2) complaint one of the requirements
> is not to use MD5.
> Kafka is using MD5 to hash message keys in the offset map (SkimpyOffsetMap)
> used by the log cleaner.
> The idea is to be able to configure this hash algorithm to something allowed
> by FIPS using a new configuration property.
> The property could be named "log.cleaner.hash.algorithm" with a default value
> equal to "MD5" and the idea is to use it in the constructor of CleanerConfig.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
