[ 
https://issues.apache.org/jira/browse/SLING-10350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eric Norman updated SLING-10350:
--------------------------------
    Fix Version/s:     (was: Form Based Authentication 1.0.22)
                   Form Based Authentication 1.0.24

> Use a stronger algorithm in TokenStore  
> ----------------------------------------
>
>                 Key: SLING-10350
>                 URL: https://issues.apache.org/jira/browse/SLING-10350
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Form Based Authentication 1.0.20
>            Reporter: Cris Rockwell
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: Form Based Authentication 1.0.24
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The TokenStore in Forms uses SHA-1
> final Mac m = Mac.getInstance(HMAC_SHA1);
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143
> Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, 
> HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, 
> HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is 
> possible to have collisions (little computational effort is enough to find 
> two or more different inputs that produce the same hash).
> The provisioning of weak security tokens for every request could be 
> considered a security vulnerability. Also in a production environment with 
> many active users, the risk of accidental collision is not impossible.
> I don't recommend doing this before SLING-10290, because constant 
> provisioning of the tokens is performance drain, and will be more so with a 
> stronger algorithm. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to