Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1290

OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 1.1.0.CR2
    • Fix Version/s: 1.1.0.CR3
    • Component/s: Passwords
    • Labels:
      None

      Description

      Only MD5 and SHA-1 hash algorithms are valid in OneTimePasswordImpl.

      /subsystem=elytron/filesystem-realm=a:read-operation-description(name=set-password)
                 "otp" => {
                      "type" => OBJECT,
                      "description" => "A one-time password, used by the OTP SASL mechanism.",
                      "expressions-allowed" => false,
                      "required" => false,
                      "nillable" => true,
                      "value-type" => {
                          "algorithm" => {
                              "type" => STRING,
                              "description" => "The algorithm used to encrypt the password.",
                              "expressions-allowed" => false,
                              "required" => false,
                              "nillable" => true,
                              "default" => "otp-sha1",
                              "allowed" => [
                                  "otp-md5",
                                  "otp-sha1"
                              ]
                          },
                          "hash" => {
                              "type" => STRING,
                              "description" => "The hash represented by this password.",
                              "expressions-allowed" => true,
                              "required" => true,
                              "nillable" => false,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "seed" => {
                              "type" => STRING,
                              "description" => "The seed used to generate the hash.",
                              "expressions-allowed" => true,
                              "required" => true,
                              "nillable" => false,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "sequence" => {
                              "type" => INT,
                              "description" => "The sequence number used to generate the hash.",
                              "expressions-allowed" => true,
                              "required" => true,
                              "nillable" => false
                          }
                      }
                  }
      

      Extend list to more secure hash algorithms, e.g. digest-sha-256 digest-sha-512?

      For example MD5 is not allowed in FIPS mode [1]. Although SHA-1 is, it is generally considered to be not secure anymore.

      [1] http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  honza889 Jan Kalina
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: