You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "GeordieMai (Jira)" <ji...@apache.org> on 2021/02/08 04:22:00 UTC

[jira] [Comment Edited] (KAFKA-12306) Avoid using plaintext/hard-coded key while generating secret key

    [ https://issues.apache.org/jira/browse/KAFKA-12306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280744#comment-17280744 ] 

GeordieMai edited comment on KAFKA-12306 at 2/8/21, 4:21 AM:
-------------------------------------------------------------

[~Vicky Zhang] hello . 
 I think the hard-coded text `Password` is just a hint message . 

you can see here .
https://github.com/apache/kafka/blob/42a9355e606bd2bbdb7fd0dd348805e6666dc189/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientCallbackHandler.java#L68


was (Author: geordie):
[~Vicky Zhang] hello . 
I think the hard-coded text `Password` is just a hint message . 

you can see here .
https://github.com/a0x8o/kafka/blob/88ad7d1b7f816ddce65c3b4fa188c4781fe75b67/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientCallbackHandler.java#L68

> Avoid using plaintext/hard-coded key while generating secret key 
> -----------------------------------------------------------------
>
>                 Key: KAFKA-12306
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12306
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients
>            Reporter: Vicky Zhang
>            Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
> *Security Location:* 
> in file kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramFormatter.java line 58 and 76, new SecretKeySpec(key, algorithm) is invoked with hard-code key, which is defined in file kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java  line 127 -> 189.
> *Security Impact:* 
> Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment and is certainly shared in open source. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
> *suggestions:*
> To be managed safely, passwords and secret keys should be stored in separate configuration files. 
> Useful link:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://www.appmarq.com/public/tqi,1039028,CWE-327-Avoid-weak-encryption-providing-not-sufficient-key-size-JEE]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)