phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Koundinya Ravulapati (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4702) MD5 Hash Algorithm in Phoenix which is insecure and easily cracked
Date Fri, 27 Apr 2018 16:47:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16456724#comment-16456724
] 

Koundinya Ravulapati commented on PHOENIX-4702:
-----------------------------------------------

[~gjacoby] I could only see these references  [https://github.com/apache/phoenix/search?utf8=%E2%9C%93&q=MD5&type=] which
matches the uses you have given and nothing solid to prove the jar is depending on MD5 as
a cryptographic hash

> MD5 Hash Algorithm in Phoenix which is insecure and easily cracked
> ------------------------------------------------------------------
>
>                 Key: PHOENIX-4702
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4702
>             Project: Phoenix
>          Issue Type: Improvement
>    Affects Versions: 4.7.0
>            Reporter: Koundinya Ravulapati
>            Priority: Major
>              Labels: Encryption, Phoenix, Security, hashing
>
> Hi Team,
> We have ran a security check on 
> compile group: 'org.apache.phoenix', name: 'phoenix', version: '4.7.0-CLABS-1.3.0', classifier:
'client-minimal'
> and our security scan has reveled that phoenix is using a week encryption MD5 like
> digest = java.security.MessageDigest.getInstance("MD5")
> The hashing algorithm used, MD5, has been found by researchers to be unsafe for protecting
sensitive data with today's technology.
> I have checked the [https://github.com/apache/phoenix/tree/4.7.0-HBase-1.1] 
> and also other versions it is still having the same algorithm. Is Phoenix team considering
to use more stronger algorithm like SHA-256. Can you please let us know if this is already
available any new versions of phoenix or in which version can this be made available if team
is working on it. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message