liyang created KYLIN-3356: ----------------------------- Summary: Constant in SecretKeySpec Key: KYLIN-3356 URL: https://issues.apache.org/jira/browse/KYLIN-3356 Project: Kylin Issue Type: Improvement Reporter: liyang
Reported by Rumen Paletov <rumen.pale...@gmail.com>: As part of some research about the common crypto mistakes that developers make <[https://cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf]>, I noticed that your application has one of them. In particular, there's a violation of Rule 3 in org.apache.kylin.common.util.EncryptUtil <[https://github.com/apache/kylin/blob/5552164ba09eba989b9ddccdf3f1e4f83ed0b799/core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java#L36]>. That is, SecretKeySpec is being initialized with a constant key <[https://github.com/apache/kylin/blob/5552164ba09eba989b9ddccdf3f1e4f83ed0b799/core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java#L30]> instead of a randomly generated one. One solution would be to generate a key using SecureRandom: > byte[] key = new byte[16]; > new SecureRandom.nextBytes(key); -- This message was sent by Atlassian JIRA (v7.6.3#76005)