You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Eric Norman (Jira)" <ji...@apache.org> on 2021/06/12 01:33:00 UTC
[jira] [Closed] (SLING-10350) Use a stronger algorithm in
TokenStore
[ https://issues.apache.org/jira/browse/SLING-10350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman closed SLING-10350.
-------------------------------
Closing with the 1.0.24 release
> Use a stronger algorithm in TokenStore
> ----------------------------------------
>
> Key: SLING-10350
> URL: https://issues.apache.org/jira/browse/SLING-10350
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.20
> Reporter: Cris Rockwell
> Assignee: Eric Norman
> Priority: Major
> Fix For: Form Based Authentication 1.0.24
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The TokenStore in Forms uses SHA-1
> final Mac m = Mac.getInstance(HMAC_SHA1);
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143
> Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash).
> The provisioning of weak security tokens for every request could be considered a security vulnerability. Also in a production environment with many active users, the risk of accidental collision is not impossible.
> I don't recommend doing this before SLING-10290, because constant provisioning of the tokens is performance drain, and will be more so with a stronger algorithm.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)