Challenge 34 ☆☆

Welcome to challenge Challenge 34. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Generating Random Keys

Many security folks teach engineers to use secure key derivation functions like PBKDF2 when a key needs to be generated. A developer followed this instruction and tried to create a key in Challenge34.java, which should now be far more secure than a hardcoded key. Can you spot the mistake? Can you find the value of the generated key?

Answer to solution :

This challenge can be solved by replaying the Key derivation function with the given inputs.

  1. Run the function online

    • Locate the parameters used for the key derivation function in the generateKey function in Challenge34.java.

    • Copy the used parameters to an online generator and execute it

    • The website will return the value of the key.

Why Key Derivation Functions are not safe when using hardcoded values

Key Derivation Functions (KDFs) are deterministic. This means that they will always give back the same output for a given input. So, if the parameters are hardcoded, anyone with access to the code can run the KDF with the specified parameters and get the key.

KDFs should be used to generate keys based on dynamic input, such as human-supplied passwords. KDFs might be used when secure random sources can be used to generate keys. Again, the KDF’s input is not hardcoded/deterministic in both cases.