Hi to all,
Two questions about HMAC plugin by KONG.
1. How does the HMAC plugin rotate secrets?
In the HMAC rfc2104 document, section 3, there is a sentence about the keys in HMAC:
…periodic key refreshment is a fundamental security practice that helps against potential weaknesses…
https://datatracker.ietf.org/doc/html/rfc2104#section-3
How does the HMAC plugin provided by KONG ensure this?
The implementation of this plugin does not seem to meet this requirement, unless I have a misunderstanding of the descriptions in the documentation.
2. Does the HMAC plugin provide encryption of the secret column in the database?
https://github.com/Kong/kong/blob/master/kong/plugins/hmac-auth/migrations/000_base_hmac_auth.lua
In the table “hmacauth_credentials”, the column “secret” holds the value, using the type “text”. Is there any mechanism to encrypt this field ?
I will be grateful for your help.
Greetings,
Paul