[jboss-jira] [JBoss JIRA] (WFCORE-3069) OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms
Jan Kalina (JIRA)
issues at jboss.org
Mon Jul 17 13:51:00 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Kalina moved JBEAP-12170 to WFCORE-3069:
--------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-3069 (was: JBEAP-12170)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta28
(was: 7.1.0.ER2)
> OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms
> --------------------------------------------------------------
>
> Key: WFCORE-3069
> URL: https://issues.jboss.org/browse/WFCORE-3069
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta28
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Critical
>
> Only MD5 and SHA-1 hash algorithms are valid in OneTimePasswordImpl.
> {code:title=/subsystem=elytron/filesystem-realm=a:read-operation-description(name=set-password)}
> "otp" => {
> "type" => OBJECT,
> "description" => "A one-time password, used by the OTP SASL mechanism.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "value-type" => {
> "algorithm" => {
> "type" => STRING,
> "description" => "The algorithm used to encrypt the password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "default" => "otp-sha1",
> "allowed" => [
> "otp-md5",
> "otp-sha1"
> ]
> },
> "hash" => {
> "type" => STRING,
> "description" => "The hash represented by this password.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "seed" => {
> "type" => STRING,
> "description" => "The seed used to generate the hash.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "sequence" => {
> "type" => INT,
> "description" => "The sequence number used to generate the hash.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => false
> }
> }
> }
> {code}
> Extend list to more secure hash algorithms, e.g. digest-sha-256 digest-sha-512?
> For example MD5 is not allowed in FIPS mode [1]. Although SHA-1 is, it is generally considered to be not secure anymore.
> [1] http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list