Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: NanoTDF secure key from debug logging and iv conflict risk #208

Merged
merged 1 commit into from
Nov 5, 2024
Merged

fix: NanoTDF secure key from debug logging and iv conflict risk #208

merged 1 commit into from
Nov 5, 2024

Conversation

jentfoo
Copy link
Contributor

@jentfoo jentfoo commented Nov 4, 2024

This change is motivated from the CodeQL result: https://github.com/opentdf/java-sdk/security/code-scanning/1

Although that use of a static IV is deliberate, it helped highlight that we should ensure that there is no reuse of the IV when encrypting the data.

In addition it was found that there were two places the key was logged, due to the sensitivity of the key this has been removed.

@jentfoo
fix: NanoTDF secure key from debug logging and iv conflict risk
068e977 
This change is motivated from the CodeQL result: https://github.com/opentdf/java-sdk/security/code-scanning/1

Although that use of a static IV is deliberate, it helped highlight that we should ensure that there is no reuse of the IV when encrypting the data.

In addition it was found that there were two places the key was logged, due to the sensitivity of the key this has been removed.
@jentfoo jentfoo self-assigned this Nov 4, 2024
@jentfoo jentfoo requested review from a team as code owners November 4, 2024 21:57
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 4, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@jentfoo jentfoo merged commit 6301d32 into main Nov 5, 2024
7 checks passed
@jentfoo jentfoo deleted the jent/nanoTDF_key_hardening branch November 5, 2024 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pflynn-virtru pflynn-virtru pflynn-virtru approved these changes

@dmihalcik-virtru dmihalcik-virtru dmihalcik-virtru approved these changes

Assignees

@jentfoo jentfoo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jentfoo @dmihalcik-virtru @pflynn-virtru