[ 
https://issues.apache.org/jira/browse/SLING-10350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17350143#comment-17350143
 ] 

Eric Norman edited comment on SLING-10350 at 5/23/21, 10:15 PM:
----------------------------------------------------------------

I created PR #3 with the proposed changes to switch the TokenStore to to 
SHA-256.  I did a quick test and it looks like the performance of SHA-256 is 
only slightly slower (around 7% slower in my tests) than the previous SHA-1 
impl.


was (Author: enorman):
I created PR #3 with the proposed changes to switch the TokenStore to to 
SHA-256.  I did a quick test and it looks like the performance of SHA-256 is 
only slightly slower (around 7% slower so in my tests) than the previous SHA-1 
impl.

> Use a stronger algorithm in TokenStore  
> ----------------------------------------
>
>                 Key: SLING-10350
>                 URL: https://issues.apache.org/jira/browse/SLING-10350
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Form Based Authentication 1.0.20
>            Reporter: Cris Rockwell
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: Form Based Authentication 1.0.22
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The TokenStore in Forms uses SHA-1
> final Mac m = Mac.getInstance(HMAC_SHA1);
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143
> Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, 
> HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, 
> HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is 
> possible to have collisions (little computational effort is enough to find 
> two or more different inputs that produce the same hash).
> The provisioning of weak security tokens for every request could be 
> considered a security vulnerability. Also in a production environment with 
> many active users, the risk of accidental collision is not impossible.
> I don't recommend doing this before SLING-10290, because constant 
> provisioning of the tokens is performance drain, and will be more so with a 
> stronger algorithm. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to