Hi Nuwan,
The hashing algorithm is determined from the handshake. The
WWW-Authenticate response header will optionally contain an algorithm
directive.
In the DigestAuthMediator, if we receive any other algorithm
apart from MD5 or MD5-sess, we consider it as MD5 and carry out the
hashing. Finally, when the hash is calculated, we send the algorithm used
by our side, in the Authorization header of the request directed back to
the endpoint. So then that endpoint knows which algorithm we used.
So in the current implementation, only MD5 and MD5-sess
algorithms are supported as per the RFC [1].
[1] https://tools.ietf.org/html/rfc2617
Tharika Madurapperuma
Intern - Software Engineering
WSO2, Inc.
Mobile : +94777-875-624
On Wed, Jan 13, 2016 at 3:38 PM, Nuwan Dias <[email protected]> wrote:
> @Tharika, how is the hashing algorithm determined? Is it determined
> through the handshake between the gateway and the back-end or is it
> hard-coded?
>
> AFAIU the hashing algorithm should be determined at the handshake so that
> the client (Gateway) and back-end use the same hashing mechanism to hash
> the strings for comparison.
>
> On Wed, Jan 13, 2016 at 2:23 PM, Shani Ranasinghe <[email protected]> wrote:
>
>> + Dev
>>
>> On Wed, Jan 13, 2016 at 2:18 PM, Shani Ranasinghe <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> In the gateway package we have a class "DigestAuthMediator" which uses
>>> Md5 hashing, to compute the hashes for digest authentication. Findbugs
>>> complains that the message digest is weak[1]. It recommends that we use
>>> one of the following algorithms SHA-1, SHA-224*, SHA-256, SHA-384, SHA-512,
>>> SHA-512/224, or SHA-512/256.. I spoke to a member of the security team and
>>> they too recommended the same (use hashing method like SHA 256). However,
>>> we have implemented the hashing in this class based on a spec [2] which
>>> indicates that by default it uses the MD5 algorithm, else wise the server
>>> could specify the algorithm ("MD5" | "MD5-sess" | token).
>>>
>>> How do we handle this scenario?
>>>
>>>
>>> [1] MessageDigest Is Weak
>>> The algorithm used is not a recommended MessageDigest.
>>> NIST recommends the use of SHA-1, SHA-224*, SHA-256, SHA-384, SHA-512,
>>> SHA-512/224, or SHA-512/256.
>>> * SHA-224 algorithm is not provided by SUN provider.
>>> Upgrade your implementation to use one of the approved algorithms. Use
>>> an algorithm that is sufficiently strong for your specific security needs.
>>>
>>> [2] https://tools.ietf.org/html/rfc2617
>>>
>>> --
>>> Thanks and Regards
>>> *,Shani Ranasinghe*
>>> Senior Software Engineer
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> mobile: +94 77 2273555
>>> Blog: http://waysandmeans.blogspot.com/
>>> linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab
>>>
>>
>>
>>
>> --
>> Thanks and Regards
>> *,Shani Ranasinghe*
>> Senior Software Engineer
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> mobile: +94 77 2273555
>> Blog: http://waysandmeans.blogspot.com/
>> linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab
>>
>
>
>
> --
> Nuwan Dias
>
> Technical Lead - WSO2, Inc. http://wso2.com
> email : [email protected]
> Phone : +94 777 775 729
>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
