Details

    • Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      While working on OFBIZ-10427, I noticed that HashCrypt::cryptBytes uses "SHA" as default hashType (aka algorithm in JDK jargon)

      HashCrypt::cryptBytes is notably used by GenericEntity::toString

      But if I refer to the "current" documentation https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest

      I can't find any "SHA" algorithm. Even in https://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA which I guess corresponds to the date of HashCrypt code.

      Trying MessageDigest.getInstance("SHA") returns a MessageDigest with a digestSpi.algorithm value of "SHA-1"

      Curious I tried HashCrypt.cryptBytes(null, null, "test".getBytes()) and got

      $SHA$ggtMOpnFTWdKd$18wkxkG5J0G37Flewu8XSmLQ72U

      So it works, but obviously use SHA1 and we know SHA1 is insecure.

      So I suggest to replace in HashCrypt::cryptBytes the default by "SHA-512"

      After having a look at both code and related articles (below). I found it's not as easy as I thought, because we need to take into account legacy and transition for users.

      https://crypto.stackexchange.com/questions/48289/how-secure-is-sha1-what-are-the-chances-of-a-real-exploit

      https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html

      https://www.infoworld.com/article/2990831/sha-1-hashing-algorithm-could-succumb-to-75k-attack-researchers-say.html

      https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1

      I conclude that it's something we should do without lagging but not ASAP.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jleroux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: