[jira] [Created] (RANGER-3216) Use an outdated Key Derivation Function "PBEWithMD5AndTripleDES"

["Ya Xiao (Jira)" <ji...@apache.org>]

Ya Xiao created RANGER-3216:
-------------------------------

             Summary: Use an outdated Key Derivation Function "PBEWithMD5AndTripleDES"
                 Key: RANGER-3216
                 URL: https://issues.apache.org/jira/browse/RANGER-3216
             Project: Ranger
          Issue Type: Improvement
          Components: kms
            Reporter: Ya Xiao


*Description:*

**We ** found a security vulnerability in File [ranger/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java].]]. An outdated password-based key derivation function "PBEWithMD5AndTripleDES" is used at Line 302 and 314. It produces a cryptographic key for Triple-DES cipher algorithm from the password. However, the Triple-DES is retired and not strong enough.

*Security Impact**:*

**Triple DES is an outdated cipher algorithm. Its effective key length is 112 bits, which is weaker than AES-128. Its short block size (64 bits) makes it more vulnerable to attacks like [Sweet32|https://beaglesecurity.com/blog/vulnerability/sweet32-attack.html#:~:text=The%20Sweet32%20is%20an%20attack,recover%20small%20portions%20of%20plaintext.].

*Useful Resources**:*

[https://cwe.mitre.org/data/definitions/327.html]

[https://www.cvedetails.com/cve/CVE-2016-2183/]

[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]

*Solution we suggest:***

**Replace Triple DES to AES. Replace the "PBEWithMD5AndTripleDES" to "PBEWithHmacSHA256AndAES_128"

*Please share with us your opinions/comments if there is any:*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)