Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase the iteration count of KDF and stop using SHA1, 3DES and hardcoded credentials #108156

Open
Gax-c opened this issue May 1, 2024 · 1 comment
Open

Increase the iteration count of KDF and stop using SHA1, 3DES and hardcoded credentials #108156

Gax-c opened this issue May 1, 2024 · 1 comment
Labels
>enhancement :Security/Security Security issues without another label Team:Security Meta label for security team

Comments

@Gax-c
Copy link

Gax-c commented May 1, 2024

Hi, I'm new to elasticsearch, and when I was browsing the code I found some potential risks.

  1. The iteration count for PBEKeySpec is only 1024 which is not sufficiently high to protect against brute-force attacks here.
        PBEKeySpec keySpec = new PBEKeySpec(hashedPassphrase, salt, 1024, 128);
  1. Similar to the previous statement, the iteration count for KDF should be at least 600,000. But in the source code there is only 10,000 here. You can refer to KDF Algorithms | Bitwarden Help Center here for more information.
    private static final int KDF_ITERATION_COUNT = 10000;
  1. The broken algorithms SHA1 and 3DES are still in use here. SHA1 and 3DES have long been considered to be vulnerable, and it's insecure to use them.
        byte[] shortKey = SecretKeyFactory.getInstance("PBEWithSHA1AndDESede").generateSecret(keySpec).getEncoded();
  1. the credentials are hardcoded in the code here. Although it's only the default one, it will still lead to potential risks.
    private static final char[] DEFAULT_PASS_PHRASE = "elasticsearch-license".toCharArray();

I sincerely think these suggestions can help make elasticsearch better.
@elasticsearchmachine elasticsearchmachine added the needs:triage Requires assignment of a team area label label May 1, 2024
@parkertimmins parkertimmins added :Security/Security Security issues without another label >enhancement and removed needs:triage Requires assignment of a team area label labels May 1, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>enhancement :Security/Security Security issues without another label Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@parkertimmins @Gax-c @elasticsearchmachine