You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jo...@wellsfargo.com.INVALID on 2020/01/15 21:03:26 UTC
Tomcat Digest Algorithm question
Is there a list of compliant algorithms supported when using Digest for passwords in the user database realm?
I know it supports MD5 and SHA, but both of these are weak. Does this support SHA-256, SHA-512, SHA3, etc.?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 - 12/31
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Re: Tomcat Digest Algorithm question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jon,
On 1/15/20 4:55 PM, jonmcalexander@wellsfargo.com.INVALID wrote:
> -----Original Message----- From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, January 15, 2020 3:42 PM To:
> users@tomcat.apache.org Subject: Re: Tomcat Digest Algorithm
> question
>
> On 15/01/2020 21:03, jonmcalexander@wellsfargo.com.INVALID wrote:
>> Is there a list of compliant algorithms supported when using
>> Digest for passwords in the user database realm?
>>
>> I know it supports MD5 and SHA, but both of these are weak. Does
>> this support SHA-256, SHA-512, SHA3, etc.?
>
>> It supports any digest supported by the JRE you are using.
>
>> Mark
>
> <snip>
>
> Thank You!
What Mark did not say was that you shouldn't be using any of these.
You should be using PBKDF2 (which is supported by Tomcat) or bcrypt or
something like that.
If you are using one of the old, weak algorithms, it's possible to
configure Tomcat (and your web application) to upgrade everybody. I
have a presentation on this topic here:
https://tomcat.apache.org/presentations.html#latest-credential-security
- -chris
PS: In case anyone was curious, the actual end of SHA1 began this week
with this publication: https://eprint.iacr.org/2020/014.pdf
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4g/noACgkQHPApP6U8
pFh3Kw/9FrzRsYZBUVx5+5J/r3yobumTfroy5p1BjpvLyalLuCjIEH9WvFGJLrFn
NoGcPTsWYAlMH4RllZ8Ncso5l8vQWxXxyGkRINKicC/Tq/Ln7jEA5CEgWgbSxmZy
Ls4DveIYsGpCuW6z1o/ODGIRPbywLN+unF5K2jeqnUZgxzMmQ90Sk82+YchWXKlP
9soN6MwAn2GXIXyUD3bUWmhWTnDHodKf06E5eT9HbQ/U6OG2XU2K3WoxY0VpP7cw
Pk641mwLoo8mL5FqEeUairnKVVmzh6Q+onPq8sbZ2K06ZPuieV3jMhDrPjX3bXR/
OtBhIWoD3a9liNy986uHAfY16luDk4EBptIG7O5NFdeCm+TPWm3YFY4lPWK4ttFB
V99b7XtYUTO+rFcbvLmumaifmtKKB2MXAj38yS7vgF+d5y7D8CZXfDOXscRuOGjZ
pjZYwhJDrI+58xfLeSXFhUsbaaF6+FOEuTZ/8VpTHa7ZXX928F+Eev0Hm0bBYo/o
io5aZA5GqRohCZBaLnnrtBI+broJtmk47xR2GUfobFwb+U6qvzDyzrTGFhE4IMHg
ubAVnfIdQChomCbNO13vC6Fo3Pf0jeO29TCv2eNm46hk1iEzW+As5StJzy06KyTe
DuOSLcK/oXPDbDe7SGcfJPsCRFRpu905yKGuRPP4vk9Q2o4gkmg=
=nfZQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Digest Algorithm question
Posted by jo...@wellsfargo.com.INVALID.
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, January 15, 2020 3:42 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat Digest Algorithm question
On 15/01/2020 21:03, jonmcalexander@wellsfargo.com.INVALID wrote:
> Is there a list of compliant algorithms supported when using Digest for passwords in the user database realm?
>
> I know it supports MD5 and SHA, but both of these are weak. Does this support SHA-256, SHA-512, SHA3, etc.?
> It supports any digest supported by the JRE you are using.
> Mark
<snip>
Thank You!
Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 - 12/31
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Digest Algorithm question
Posted by Mark Thomas <ma...@apache.org>.
On 15/01/2020 21:03, jonmcalexander@wellsfargo.com.INVALID wrote:
> Is there a list of compliant algorithms supported when using Digest for passwords in the user database realm?
>
> I know it supports MD5 and SHA, but both of these are weak. Does this support SHA-256, SHA-512, SHA3, etc.?
It supports any digest supported by the JRE you are using.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org