[Eclipse Kura] Any concrete plans fixing CWE-540 in Kura CryptoService?
Dear Kura team, we have received the following request on security@eclipse-foundation.org:
Dear Kura Security Team,
I am asking about the status of improving the handling of the default password for AES encryption[1]. So far SECRET_KEY has a fixed value, and there is no advice to users how to change this during system setup, instead they need to grep the source to find out about the system property. This hard-to-find configuration typically ends up in an insecure and tamper-prone edge management scenario. Is there a documentation enhancement planned, and what is the concept to roll out a hardened version that also covers the secure password handling in S7PlcDriver and other usage areas or the built-in AES service?
The question is due to a presentation I will be giving soon about Java-based IoT implementation security, that known password issue as-is degrades encryption to encoding. I could add time goals for a serious fix you may have to my slide about the issue, if there is none, I'll leave the "unclear" note I have in my draft.
Thanks Marc