dbeaver icon indicating copy to clipboard operation
dbeaver copied to clipboard
Published 3 weeks ago verified publisher icon dbeaver

Stop using DES and avoid hardcoded key

Open Gax-c opened this issue 1 year ago • 1 comments

Description

Why you need it?

We've identified that in the file SecuredPasswordEncrypter.java, the encryption key is hardcoded, and vulnerable algorithms DES and 3DES are still in use here.

    private static final byte[] PASSWORD_ENCRYPTION_KEY = "sdf@!#$verf^wv%6Fwe%$$#FFGwfsdefwfe135s$^H)dg".getBytes(Charset.defaultCharset());

    public static final String SCHEME_DESEDE = "DESede";
    public static final String SCHEME_DES = "DES";

How could it be?

The hardcoded encryption key may be exposed to the attacker, and the password storage will be insecure. The DES and 3DES have long been regarded as vulnerable. Applying these two algorithms for password storage may not be considered as secure.

DBeaver Version

24.0.3

Operating System

No response

Database and driver

No response

Steps to reproduce

No response

Additional context

No response

Gax-c avatar May 01 '24 16:05 Gax-c

Thank you for report

E1izabeth avatar May 02 '24 10:05 E1izabeth

But, PASSWORD_ENCRYPTION_KEY can still be found in SecuredPasswordEncrypter.java - is this intentional?

ckujau avatar Jul 16 '24 16:07 ckujau

@ckujau yes, it is intentional. Please read the Javadoc. It is only kept for backward compatibility reasons.

https://github.com/dbeaver/dbeaver/blob/6755db48271c2536772ff1de8fe47a26ee54f6ed/plugins/org.jkiss.dbeaver.model/src/org/jkiss/dbeaver/runtime/encode/SecuredPasswordEncrypter.java#L32-L36

ShadelessFox avatar Jul 16 '24 16:07 ShadelessFox