You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Jiang (Jira)" <ji...@apache.org> on 2021/09/01 08:45:00 UTC

[jira] [Created] (ZOOKEEPER-4363) ZooKeeper digest authentication uses the insecure SHA1 algorithm.

Jiang created ZOOKEEPER-4363:
--------------------------------

             Summary: ZooKeeper digest authentication uses the insecure SHA1 algorithm.
                 Key: ZOOKEEPER-4363
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4363
             Project: ZooKeeper
          Issue Type: Improvement
          Components: server
    Affects Versions: 3.6.2
            Reporter: Jiang


*When the ZooKeeper uses digest authentication, the SHA1 encryption mode is used to encrypt passwords. The PBKDF2 encryption algorithm is recommended.* :)



{code:java}
DigestAuthenticationProvider.java 
public static String generateDigest(String idPassword) throws NoSuchAlgorithmException {
 String[] parts = idPassword.split(":", 2);
 byte[] digest = MessageDigest.getInstance("SHA1").digest(idPassword.getBytes());
 return parts[0] + ":" + base64Encode(digest);
}
{code}





--
This message was sent by Atlassian Jira
(v8.3.4#803005)