[
https://issues.apache.org/jira/browse/SLING-10350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Norman updated SLING-10350:
--------------------------------
Fix Version/s: (was: Form Based Authentication 1.0.22)
Form Based Authentication 1.0.24
> Use a stronger algorithm in TokenStore
> ----------------------------------------
>
> Key: SLING-10350
> URL: https://issues.apache.org/jira/browse/SLING-10350
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.20
> Reporter: Cris Rockwell
> Assignee: Eric Norman
> Priority: Major
> Fix For: Form Based Authentication 1.0.24
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The TokenStore in Forms uses SHA-1
> final Mac m = Mac.getInstance(HMAC_SHA1);
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143
> Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128,
> HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160,
> HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is
> possible to have collisions (little computational effort is enough to find
> two or more different inputs that produce the same hash).
> The provisioning of weak security tokens for every request could be
> considered a security vulnerability. Also in a production environment with
> many active users, the risk of accidental collision is not impossible.
> I don't recommend doing this before SLING-10290, because constant
> provisioning of the tokens is performance drain, and will be more so with a
> stronger algorithm.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
