Jacques Le Roux commented on OFBIZ-10843:

[SHA-1 is a Shambles|https://sha-mbles.github.io/]

> Replace SHA-1 by SHA-512
> ------------------------
>                 Key: OFBIZ-10843
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10843
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Priority: Major
> While working on OFBIZ-10427, I noticed that HashCrypt::cryptBytes uses "SHA" 
> as default hashType (aka algorithm in JDK jargon)
> HashCrypt::cryptBytes  is notably used by GenericEntity::toString
> But if I refer to the "current" documentation 
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest
> I can't find any "SHA" algorithm. Even in 
> https://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA 
> which I guess corresponds to the date of HashCrypt code.
> Trying MessageDigest.getInstance("SHA") returns a MessageDigest with a 
> digestSpi.algorithm value of "SHA-1"
> Curious I tried HashCrypt.cryptBytes(null, null, "test".getBytes()) and got
> $SHA$ggtMOpnFTWdKd$18wkxkG5J0G37Flewu8XSmLQ72U
> So it works, but obviously use SHA1 and we know SHA1 is insecure.
> So I suggest to replace in HashCrypt::cryptBytes the default by "SHA-512"
> After having a look at both code and related articles (below). I found tt's 
> not as easy as I thought, because we need to take into account legacy and 
> transition for users.
> https://crypto.stackexchange.com/questions/48289/how-secure-is-sha1-what-are-the-chances-of-a-real-exploit
> https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html
> https://www.infoworld.com/article/2990831/sha-1-hashing-algorithm-could-succumb-to-75k-attack-researchers-say.html
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1
> I conclude that it's something we should do without lagging but not ASAP.

This message was sent by Atlassian Jira

Reply via email to