Cris Rockwell created SLING-10350:
-------------------------------------
Summary: Use a stronger algorithm in TokenStore
Key: SLING-10350
URL: https://issues.apache.org/jira/browse/SLING-10350
Project: Sling
Issue Type: Improvement
Components: Authentication
Affects Versions: Form Based Authentication 1.0.20
Reporter: Cris Rockwell
The TokenStore in Forms uses SHA-1
final Mac m = Mac.getInstance(HMAC_SHA1);
https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143
Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5,
DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1
are no longer considered secure, because it is possible to have collisions
(little computational effort is enough to find two or more different inputs
that produce the same hash).
The provisioning of weak security tokens for every request could be considered
a security vulnerability. Also in a production environment with many active
users, the risk of accidental collision is not impossible.
I don't recommend doing this before SLING-10290, because constant provisioning
of the tokens is performance drain, and will be more so with a stronger
algorithm.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
