[MDEV-27104] deprecate DES_ENCRYPT/DECRYPT functions - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 10.10.1
Component/s: Encryption, SSL
Labels:
- Preview_10.10

Description

Hopefully nobody uses them anymore.

https://en.wikipedia.org/wiki/Triple_DES:

The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, NIST has deprecated DES and 3DES for new applications in 2017, and for all applications by 2023. It has been replaced with the more secure, more robust AES.

Attachments

Issue Links

relates to

MDEV-31873 Remove functions DES_ENCRYPT/DECRYPT

Open

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2022-06-19 15:30

branch preview-10.10-misc

Sergei Golubchik added a comment - 2022-06-19 15:30 branch preview-10.10-misc

Michael Widenius added a comment - 2022-06-20 12:24

Please stop testing this until it is clearly documented why we should remove this function.

The default is that MariaDB should NOT remove any old functions or functionality that people MAY still use, unless there is a VERY good reason why we cannot support the old functionality anymore.

What have we done to ensure/check that these functions are still not used.
What should users use instead?
How should they migrate old servers/applications?
How can they test if these functions are not in use?

Michael Widenius added a comment - 2022-06-20 12:24 Please stop testing this until it is clearly documented why we should remove this function. The default is that MariaDB should NOT remove any old functions or functionality that people MAY still use, unless there is a VERY good reason why we cannot support the old functionality anymore. What have we done to ensure/check that these functions are still not used. What should users use instead? How should they migrate old servers/applications? How can they test if these functions are not in use?

Sergei Golubchik added a comment - 2022-06-21 07:48

These questions will be relevant when we'll be removing this functionality. For now we only warn people that they should not be using DES.
See https://en.wikipedia.org/wiki/Data_Encryption_Standard
DES was superseded in 2001.

A chosen-plaintext attack utilizing a rainbow table can recover the DES key for a single specific chosen plaintext ... in 25 seconds.

One can brute-force the password in 15 days using a $1000 off-the-shelf Nvidia card. Or under 2 days with 8 such cards.

Plain DES is pretty much irrelevant nowadays.

Sergei Golubchik added a comment - 2022-06-21 07:48 These questions will be relevant when we'll be removing this functionality. For now we only warn people that they should not be using DES. See https://en.wikipedia.org/wiki/Data_Encryption_Standard DES was superseded in 2001. A chosen-plaintext attack utilizing a rainbow table can recover the DES key for a single specific chosen plaintext ... in 25 seconds. One can brute-force the password in 15 days using a $1000 off-the-shelf Nvidia card. Or under 2 days with 8 such cards. Plain DES is pretty much irrelevant nowadays.

Sergei Golubchik added a comment - 2022-06-27 16:21

in bb-10.10-~~MDEV-27104~~ branch

Sergei Golubchik added a comment - 2022-06-27 16:21 in bb-10.10- MDEV-27104 branch

Lena Startseva added a comment - 2022-07-14 11:14

Test main.func_encrypt_nossl fails. Ex.:
Part of test:

-- source include/not_ssl.inc

select des_encrypt("test", 'akeystr');

Expected result:

des_encrypt("test", 'akeystr')

NULL

Warnings:

Note	1287	'des_encrypt' is deprecated and will be removed in a future release

Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working

Actual result:

des_encrypt("test", 'akeystr')

���+YL���

Warnings:

Note	1287	'des_encrypt' is deprecated and will be removed in a future release

serg, please, fix the test.

Lena Startseva added a comment - 2022-07-14 11:14 Test main.func_encrypt_nossl fails. Ex.: Part of test: -- source include/not_ssl.inc select des_encrypt( "test" , 'akeystr' ); Expected result: des_encrypt( "test" , 'akeystr' ) NULL Warnings: Note 1287 'des_encrypt' is deprecated and will be removed in a future release Warning 1289 The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working Actual result: des_encrypt( "test" , 'akeystr' ) ��+YL�� Warnings: Note 1287 'des_encrypt' is deprecated and will be removed in a future release serg , please, fix the test.

Sergei Golubchik added a comment - 2022-07-18 09:34 - edited

Not quite. This test was supposed to be run when no ssl support is compiled in.
This is not possible since 5.5, ssl support is always in the binary.

But you can run this test with --mysqld=--skip-ssl. It'll run but fail as above, because ssl support is present in the binary.

I'll update the test.

Sergei Golubchik added a comment - 2022-07-18 09:34 - edited Not quite. This test was supposed to be run when no ssl support is compiled in . This is not possible since 5.5, ssl support is always in the binary. But you can run this test with --mysqld=--skip-ssl . It'll run but fail as above, because ssl support is present in the binary. I'll update the test.

Lena Startseva added a comment - 2022-07-25 02:56

Now all tests pass.

Lena Startseva added a comment - 2022-07-25 02:56 Now all tests pass.

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2021-11-21 19:31

Updated:: 2023-08-08 10:13

Resolved:: 2022-07-27 23:22

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server