Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-10350

Use a stronger algorithm in TokenStore

    XMLWordPrintableJSON

Details

    Description

      The TokenStore in Forms uses SHA-1

      final Mac m = Mac.getInstance(HMAC_SHA1);

      https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143

      Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash).

      The provisioning of weak security tokens for every request could be considered a security vulnerability. Also in a production environment with many active users, the risk of accidental collision is not impossible.

      I don't recommend doing this before SLING-10290, because constant provisioning of the tokens is performance drain, and will be more so with a stronger algorithm.

      Attachments

        Issue Links

          links to

          Web Link PR #3

          Activity

            People

              enorman Eric Norman
              cris Cris Rockwell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h