@Tharika, how is the hashing algorithm determined? Is it determined through the handshake between the gateway and the back-end or is it hard-coded?
AFAIU the hashing algorithm should be determined at the handshake so that the client (Gateway) and back-end use the same hashing mechanism to hash the strings for comparison. On Wed, Jan 13, 2016 at 2:23 PM, Shani Ranasinghe <[email protected]> wrote: > + Dev > > On Wed, Jan 13, 2016 at 2:18 PM, Shani Ranasinghe <[email protected]> wrote: > >> Hi, >> >> In the gateway package we have a class "DigestAuthMediator" which uses >> Md5 hashing, to compute the hashes for digest authentication. Findbugs >> complains that the message digest is weak[1]. It recommends that we use >> one of the following algorithms SHA-1, SHA-224*, SHA-256, SHA-384, SHA-512, >> SHA-512/224, or SHA-512/256.. I spoke to a member of the security team and >> they too recommended the same (use hashing method like SHA 256). However, >> we have implemented the hashing in this class based on a spec [2] which >> indicates that by default it uses the MD5 algorithm, else wise the server >> could specify the algorithm ("MD5" | "MD5-sess" | token). >> >> How do we handle this scenario? >> >> >> [1] MessageDigest Is Weak >> The algorithm used is not a recommended MessageDigest. >> NIST recommends the use of SHA-1, SHA-224*, SHA-256, SHA-384, SHA-512, >> SHA-512/224, or SHA-512/256. >> * SHA-224 algorithm is not provided by SUN provider. >> Upgrade your implementation to use one of the approved algorithms. Use an >> algorithm that is sufficiently strong for your specific security needs. >> >> [2] https://tools.ietf.org/html/rfc2617 >> >> -- >> Thanks and Regards >> *,Shani Ranasinghe* >> Senior Software Engineer >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: +94 77 2273555 >> Blog: http://waysandmeans.blogspot.com/ >> linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab >> > > > > -- > Thanks and Regards > *,Shani Ranasinghe* > Senior Software Engineer > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: +94 77 2273555 > Blog: http://waysandmeans.blogspot.com/ > linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
