Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3834

PBKDF2WithHmacSHA1: Use of a broken or risky cryptographic algorithm

    XMLWordPrintableJSON

Details

    Description

      What?

      Cryptographic algorithm `PBKDF2WithHmacSHA1` is weak and should not be used.

      Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.

      Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.
      Recommendation

      *Recommendation*

      Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.

      (Found via Github code scans...)

      Fix

      For blob AES :

      -> Defaults to usage of PBKDF2WithHmacSHA512
      -> Allow people to configure other algorithms, including PBKDF2WithHmacSHA1
      -> No migration strategy for people having already encrypted data (stick to PBKDF2WithHmacSHA1)

      For user hashing:

      -> add a new user password hashing algorithm based on PBKDF2WithHmacSHA512
      -> Make it the default one
      -> Hashing "on the fly" migration already present...

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              btellier Benoit Tellier
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m