You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/03/20 05:14:00 UTC
[jira] [Created] (RANGER-3216) Use an outdated Key Derivation
Function "PBEWithMD5AndTripleDES"
Ya Xiao created RANGER-3216:
-------------------------------
Summary: Use an outdated Key Derivation Function "PBEWithMD5AndTripleDES"
Key: RANGER-3216
URL: https://issues.apache.org/jira/browse/RANGER-3216
Project: Ranger
Issue Type: Improvement
Components: kms
Reporter: Ya Xiao
*Description:*
**We ** found a security vulnerability in File [ranger/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java].]]. An outdated password-based key derivation function "PBEWithMD5AndTripleDES" is used at Line 302 and 314. It produces a cryptographic key for Triple-DES cipher algorithm from the password. However, the Triple-DES is retired and not strong enough.
*Security Impact**:*
**Triple DES is an outdated cipher algorithm. Its effective key length is 112 bits, which is weaker than AES-128. Its short block size (64 bits) makes it more vulnerable to attacks like [Sweet32|https://beaglesecurity.com/blog/vulnerability/sweet32-attack.html#:~:text=The%20Sweet32%20is%20an%20attack,recover%20small%20portions%20of%20plaintext.].
*Useful Resources**:*
[https://cwe.mitre.org/data/definitions/327.html]
[https://www.cvedetails.com/cve/CVE-2016-2183/]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
*Solution we suggest:***
**Replace Triple DES to AES. Replace the "PBEWithMD5AndTripleDES" to "PBEWithHmacSHA256AndAES_128"
*Please share with us your opinions/comments if there is any:*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)