Apache Kafka

Apache Kafka supports encryption and authentication through cryptographic algorithms in two main areas:

Transport Layer Security (TLS/SSL) Encryption

• Algorithms: AES, RSA, ECDSA, and SHA (SHA-256, SHA-384, SHA-512)

• Scenario: Secures data transmission over HTTPS by encrypting client and server communication.

• Details:
  TLS uses a combination of algorithms:

  • Symmetric Encryption: AES (Advanced Encryption Standard) is widely used for encrypting data streams.

  • Asymmetric Encryption: RSA or Elliptic Curve Diffie-Hellman (ECDHE) is used for secure key exchange.

  • Message Integrity: HMAC with SHA (e.g., SHA-256) ensures data integrity.

• Standards:

  • TLS 1.2 Standard

  • TLS 1.3 Standard

Authentication Mechanisms (SASL)

Kafka supports SASL mechanisms for client-broker and inter-broker authentication. Some mechanisms allow for additional cryptographic algorithms.

Supported SASL Mechanisms and Algorithms:

• SASL/PLAIN

  • Simple username/password authentication.

  • No inherent cryptographic algorithms (use TLS for encryption).

• SASL/SCRAM (Salted Challenge Response Authentication Mechanism)
  Kafka supports SCRAM-SHA-256 and SCRAM-SHA-512. These are secure, challenge-response mechanisms.

  • Key Details:

    • SCRAM-SHA-256: SHA-256 hash function.

    • SCRAM-SHA-512: SHA-512 hash function.

  • Key Lengths:

    • SHA-256: 256-bit

    • SHA-512: 512-bit

  • Standards: RFC 5802