Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Encryption of SecureMgr #141

Closed
MoonkiHong opened this issue Oct 12, 2020 · 0 comments · Fixed by #189
Closed

[WIP] Encryption of SecureMgr #141

MoonkiHong opened this issue Oct 12, 2020 · 0 comments · Fixed by #189
Assignees
@MoonkiHong
Labels
enhancement New feature or request

Comments

@MoonkiHong
Copy link
Contributor

Originally posted by @tdrozdovsky in #131 (comment)

I personally think that sensitive data is returned by an access to passPhraseJWTPath. What do you think? @tdrozdovsky

edge-home-orchestration-go/src/controller/securemgr/authenticator/authenticator.go

Line 70 in 22ce49b

log.Panicf("Failed to create passPhraseJWTPath %s: %s\n", passPhraseJWTPath, err)

This might be the same potential security risk as follow.

edge-home-orchestration-go/src/controller/securemgr/authenticator/authenticator.go

Line 84 in 22ce49b

log.Println(logPrefix, "cannot create "+passPhraseJWTFilePath+": ", err)

Good point, I know and remember this security issue.

These only informs about a failed attempt to create the passPhraseJWTFilePath file.
But of course, storing such information in files (passPhrase, edge-orchestration.key, etc) is a security risk.
I think in the future this should be solved with secure storage or with access control system such as: SeLinux, SMACK, etc.

Thank you for reminder
@MoonkiHong MoonkiHong added the enhancement New feature or request label Oct 12, 2020
@MoonkiHong MoonkiHong mentioned this issue Oct 12, 2020
Merged
13 tasks
@MoonkiHong MoonkiHong changed the title Encryption of SecureMgr [WIP] Encryption of SecureMgr Nov 9, 2020
@MoonkiHong MoonkiHong self-assigned this Nov 9, 2020
@tdrozdovsky tdrozdovsky mentioned this issue Dec 1, 2020
Merged
8 tasks
MoonkiHong pushed a commit that referenced this issue Dec 3, 2020
@tdrozdovsky
Fix accessible confidential information that is recorded in unencrypt…
a4d1056 
…ed form (#189)

Signed-off-by: Taras Drozdovskyi <t.drozdovsky@samsung.com>

- File names were removed from logging in accordance with the CWE-312, 315 (Fixes #141);
- In this case, there were no security threats, but automatic vulnerability analysis systems recommend doing this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MoonkiHong MoonkiHong

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
1 participant
@MoonkiHong