Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detected Insecure Algorithm #4901

Open
1 of 9 tasks
anugu-vijaykanth opened this issue Apr 12, 2021 · 0 comments
Open
1 of 9 tasks

Detected Insecure Algorithm #4901

anugu-vijaykanth opened this issue Apr 12, 2021 · 0 comments
Labels
community Community Raised Issue

Comments

@anugu-vijaykanth
Copy link

Stratos Version

4.4.0

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

The preferred algorithms for symmetric key cryptography are AES and Twofish. For asymmetric key encryption, RSA is the standard algorithm; for new development, use a minimum key length of 2048 bits.

For hash algorithms, SHA-256 becomes the generally recommended hash function. NIST has mandated that as soon as practical, federal agencies stop using SHA-1 and switch to the SHA-2 or SHA-3 family of hash algorithms (such as SHA-224, SHA-256, SHA-384 and SHA-512) for all but a few types of uses.

We encourage the use of SHA-3 algorithms for all new development, as SHA-2 algorithms are vulnerable to length extension attacks.

Applications with extensive security needs should consider using AES-192 or AES-256, RSA with larger key sizes, and SHA-512.

Actual behaviour

These functions use cryptographic algorithms no longer considered sufficiently secure, even for general use.

Cryptographic algorithms serve a variety of purposes, including encrypting and decrypting data, signing data to verify that it has not changed, or that it came from a trusted source. Modern cryptographic algorithms rely entirely on the secrecy of their keys for their security; the algorithms themselves are well-known and carefully studied. As computational power increases, some algorithms no longer provide enough of a security guarantee. Other algorithms have proved weaker then originally intended.

The use of weak algorithms is dangerous because an attacker may be able to determine the key used for encryption or otherwise compromise the integrity of the algorithm.

There are three classes of cryptographic algorithms:

Symmetric key algorithms use the same key for encryption and decryption
Public key algorithms use separate public and private keys for encryption and decryption
Hash algorithms generate a unique hash of data in a way that is not reversible
For hash algorithms, SHA-1 was the standard until recently. However, SHA-1 now has some known theoretical weaknesses and is considered suspect.

Steps to reproduce the behavior

this issue is occured in few file paths
cfmr-ui\src\jetstream\plugins\monocular\cache.go:6
cfmr-ui\src\jetstream\plugins\monocular\cache.go:340
cfmr-ui\src\jetstream\plugins\userinfo\local_user.go:7
cfmr-ui\src\jetstream\plugins\userinfo\local_user.go:124
cfmr-ui\src\jetstream\cnsi.go:15
cfmr-ui\src\jetstream\cnsi.go:126
cfmr-ui\src\jetstream\crypto\crypto.go:9
cfmr-ui\src\jetstream\crypto\crypto.go:29
cfmr-ui\src\jetstream\crypto\crypto.go:36
cfmr-ui\src\jetstream\main.go:4
cfmr-ui\src\jetstream\main.go:682
cfmr-ui\src\jetstream\plugins\backup\backup_restore.go:4
cfmr-ui\src\jetstream\plugins\backup\backup_restore.go:329
cfmr-ui\src\jetstream\plugins\userinfo\local_user.go:150
cfmr-ui\src\jetstream\plugins\cfappssh\app_ssh.go:196
cfmr-ui\src\jetstream\plugins\desktop\endpoints.go:4
cfmr-ui\src\jetstream\plugins\desktop\endpoints.go:130
cfmr-ui\src\jetstream\plugins\desktop\kubernetes\endpoints.go:4
cfmr-ui\src\jetstream\plugins\desktop\kubernetes\endpoints.go:112

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

Insecure algorithm is detected

Context

Possible Implementation

@richard-cox richard-cox added the community Community Raised Issue label Apr 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community Community Raised Issue
Projects
None yet
Development

No branches or pull requests

2 participants