[jboss-jira] [JBoss JIRA] (ELY-1290) OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms

Jan Kalina (JIRA) issues at jboss.org
Mon Jul 17 12:33:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina moved JBEAP-12169 to ELY-1290:
-----------------------------------------

              Project: WildFly Elytron  (was: JBoss Enterprise Application Platform)
                  Key: ELY-1290  (was: JBEAP-12169)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Passwords
                           (was: Security)
    Affects Version/s: 1.1.0.CR2
                           (was: 7.1.0.ER2)


> OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms
> --------------------------------------------------------------
>
>                 Key: ELY-1290
>                 URL: https://issues.jboss.org/browse/ELY-1290
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Passwords
>    Affects Versions: 1.1.0.CR2
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>
> Only MD5 and SHA-1 hash algorithms are valid in OneTimePasswordImpl.
> {code:title=/subsystem=elytron/filesystem-realm=a:read-operation-description(name=set-password)}
>            "otp" => {
>                 "type" => OBJECT,
>                 "description" => "A one-time password, used by the OTP SASL mechanism.",
>                 "expressions-allowed" => false,
>                 "required" => false,
>                 "nillable" => true,
>                 "value-type" => {
>                     "algorithm" => {
>                         "type" => STRING,
>                         "description" => "The algorithm used to encrypt the password.",
>                         "expressions-allowed" => false,
>                         "required" => false,
>                         "nillable" => true,
>                         "default" => "otp-sha1",
>                         "allowed" => [
>                             "otp-md5",
>                             "otp-sha1"
>                         ]
>                     },
>                     "hash" => {
>                         "type" => STRING,
>                         "description" => "The hash represented by this password.",
>                         "expressions-allowed" => true,
>                         "required" => true,
>                         "nillable" => false,
>                         "min-length" => 1L,
>                         "max-length" => 2147483647L
>                     },
>                     "seed" => {
>                         "type" => STRING,
>                         "description" => "The seed used to generate the hash.",
>                         "expressions-allowed" => true,
>                         "required" => true,
>                         "nillable" => false,
>                         "min-length" => 1L,
>                         "max-length" => 2147483647L
>                     },
>                     "sequence" => {
>                         "type" => INT,
>                         "description" => "The sequence number used to generate the hash.",
>                         "expressions-allowed" => true,
>                         "required" => true,
>                         "nillable" => false
>                     }
>                 }
>             }
> {code}
> Extend list to more secure hash algorithms, e.g. digest-sha-256 digest-sha-512?
> For example MD5 is not allowed in FIPS mode [1]. Although SHA-1 is, it is generally considered to be not secure anymore.
> [1] http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list