Detected Insecure Algorithm

[anugu-vijaykanth]

Stratos Version

4.4.0

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

The preferred algorithms for symmetric key cryptography are AES and Twofish. For asymmetric key encryption, RSA is the standard algorithm; for new development, use a minimum key length of 2048 bits.

For hash algorithms, SHA-256 becomes the generally recommended hash function. NIST has mandated that as soon as practical, federal agencies stop using SHA-1 and switch to the SHA-2 or SHA-3 family of hash algorithms (such as SHA-224, SHA-256, SHA-384 and SHA-512) for all but a few types of uses.

We encourage the use of SHA-3 algorithms for all new development, as SHA-2 algorithms are vulnerable to length extension attacks.

Applications with extensive security needs should consider using AES-192 or AES-256, RSA with larger key sizes, and SHA-512.

Actual behaviour

These functions use cryptographic algorithms no longer considered sufficiently secure, even for general use.

Cryptographic algorithms serve a variety of purposes, including encrypting and decrypting data, signing data to verify that it has not changed, or that it came from a trusted source. Modern cryptographic algorithms rely entirely on the secrecy of their keys for their security; the algorithms themselves are well-known and carefully studied. As computational power increases, some algorithms no longer provide enough of a security guarantee. Other algorithms have proved weaker then originally intended.

The use of weak algorithms is dangerous because an attacker may be able to determine the key used for encryption or otherwise compromise the integrity of the algorithm.

There are three classes of cryptographic algorithms:

Symmetric key algorithms use the same key for encryption and decryption
Public key algorithms use separate public and private keys for encryption and decryption
Hash algorithms generate a unique hash of data in a way that is not reversible
For hash algorithms, SHA-1 was the standard until recently. However, SHA-1 now has some known theoretical weaknesses and is considered suspect.

Steps to reproduce the behavior

this issue is occured in few file paths
cfmr-ui\src\jetstream\plugins\monocular\cache.go:6
cfmr-ui\src\jetstream\plugins\monocular\cache.go:340
cfmr-ui\src\jetstream\plugins\userinfo\local_user.go:7
cfmr-ui\src\jetstream\plugins\userinfo\local_user.go:124
cfmr-ui\src\jetstream\cnsi.go:15
cfmr-ui\src\jetstream\cnsi.go:126
cfmr-ui\src\jetstream\crypto\crypto.go:9
cfmr-ui\src\jetstream\crypto\crypto.go:29
cfmr-ui\src\jetstream\crypto\crypto.go:36
cfmr-ui\src\jetstream\main.go:4
cfmr-ui\src\jetstream\main.go:682
cfmr-ui\src\jetstream\plugins\backup\backup_restore.go:4
cfmr-ui\src\jetstream\plugins\backup\backup_restore.go:329
cfmr-ui\src\jetstream\plugins\userinfo\local_user.go:150
cfmr-ui\src\jetstream\plugins\cfappssh\app_ssh.go:196
cfmr-ui\src\jetstream\plugins\desktop\endpoints.go:4
cfmr-ui\src\jetstream\plugins\desktop\endpoints.go:130
cfmr-ui\src\jetstream\plugins\desktop\kubernetes\endpoints.go:4
cfmr-ui\src\jetstream\plugins\desktop\kubernetes\endpoints.go:112

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

Insecure algorithm is detected

Context

Possible Implementation