Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1290

OneTimePasswordImpl provides only MD5 and SHA1 hash algorithms

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.1.0.CR3
    • 1.1.0.CR2
    • Passwords
    • None

      Only MD5 and SHA-1 hash algorithms are valid in OneTimePasswordImpl.

      /subsystem=elytron/filesystem-realm=a:read-operation-description(name=set-password)
                 "otp" => {
                      "type" => OBJECT,
                      "description" => "A one-time password, used by the OTP SASL mechanism.",
                      "expressions-allowed" => false,
                      "required" => false,
                      "nillable" => true,
                      "value-type" => {
                          "algorithm" => {
                              "type" => STRING,
                              "description" => "The algorithm used to encrypt the password.",
                              "expressions-allowed" => false,
                              "required" => false,
                              "nillable" => true,
                              "default" => "otp-sha1",
                              "allowed" => [
                                  "otp-md5",
                                  "otp-sha1"
                              ]
                          },
                          "hash" => {
                              "type" => STRING,
                              "description" => "The hash represented by this password.",
                              "expressions-allowed" => true,
                              "required" => true,
                              "nillable" => false,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "seed" => {
                              "type" => STRING,
                              "description" => "The seed used to generate the hash.",
                              "expressions-allowed" => true,
                              "required" => true,
                              "nillable" => false,
                              "min-length" => 1L,
                              "max-length" => 2147483647L
                          },
                          "sequence" => {
                              "type" => INT,
                              "description" => "The sequence number used to generate the hash.",
                              "expressions-allowed" => true,
                              "required" => true,
                              "nillable" => false
                          }
                      }
                  }
      

      Extend list to more secure hash algorithms, e.g. digest-sha-256 digest-sha-512?

      For example MD5 is not allowed in FIPS mode [1]. Although SHA-1 is, it is generally considered to be not secure anymore.

      [1] http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: