Greetings Tomcat Developers,
I am a security researcher who has recently been getting into Apache
Tomcat security hardening. Forgive me if my failed attempt to find the
answer to this question has brought me prematurely to this list. I've
been trying to figure out why the Apache Tomcat 6 Manager component
defaults to using the MD5 hash algorithm for session token creation. It
has long been seen as a questionable hash algorithm due to known
collisions. Why not use SHA-1 by default, instead? Has anybody looked
at SecureRandom which uses SHA-1? I assume eventually this should be
SHA-2, as SHA-1 is coming under increasing fire, as well.
From: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html
|algorithm|
Name of the /Message Digest/ algorithm used to calculate session
identifiers produced by this Manager. This value must be supported by
the |java.security.MessageDigest| class. If not specified, the default
value is "MD5".
http://en.wikipedia.org/wiki/Md5
http://en.wikipedia.org/wiki/Sha-1
http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html
Any insights would be appreciated.
Thanks,
Minoo Hamilton
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
