OFBiz › OFBiz - Dev

[SECURITY] Google announced first SHA-1 collision - how to we deal with it in OFBiz?

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

3 messages Options

Michael Brohl-3

[SECURITY] Google announced first SHA-1 collision - how to we deal with it in OFBiz?

Hi everyone,

Google announced the first SHA1 collision [1]. See [2] for in-depth
explanations.
It's recommended to migrate to safer cryptographic hashes such as SHA-2
or SHA-3 as soon as possible.
See [3] for an overview of SHA. SHA-3 was announced as the official new
standard [4].

Let's discuss how we want to deal with this in OFBiz, any help is
greatly appreciated.

Best regards,
Michael

[1]
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
[2] https://shattered.io/static/shattered.pdf
[3] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm
[4]
https://www.federalregister.gov/documents/2015/08/05/2015-19181/announcing-approval-of-federal-information-processing-standard-fips-202-sha-3-standard

smime.p7s (5K) Download Attachment

Michael Brohl-3

Re: [SECURITY] Google announced first SHA-1 collision - how to we deal with it in OFBiz?

Another good reference: https://shattered.it

Regards,

Michael

Am 24.02.17 um 22:07 schrieb Michael Brohl:

> Hi everyone,
>
> Google announced the first SHA1 collision [1]. See [2] for in-depth
> explanations.
> It's recommended to migrate to safer cryptographic hashes such as
> SHA-2 or SHA-3 as soon as possible.
> See [3] for an overview of SHA. SHA-3 was announced as the official
> new standard [4].
>
> Let's discuss how we want to deal with this in OFBiz, any help is
> greatly appreciated.
>
> Best regards,
> Michael
>
> [1]
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
> [2] https://shattered.io/static/shattered.pdf
> [3] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm
> [4]
> https://www.federalregister.gov/documents/2015/08/05/2015-19181/announcing-approval-of-federal-information-processing-standard-fips-202-sha-3-standard
>

smime.p7s (5K) Download Attachment

taher

Re: [SECURITY] Google announced first SHA-1 collision - how to we deal with it in OFBiz?

In reference to earlier threads and discussions, I propose the following:

1- Make the encryption algorithm a parameter, not hard-coded into the
system.
2- Implement a new stronger encryption algorithm.
3- Set the new algorithm as default.
4- Update our documentation to point existing users to upgrade passwords OR
change the encryption algorithm in settings back to old default of SHA1

WDYT?

On Sat, Feb 25, 2017 at 12:31 AM, Michael Brohl <[hidden email]>
wrote:

> Another good reference: https://shattered.it
>
> Regards,
>
> Michael
>
> Am 24.02.17 um 22:07 schrieb Michael Brohl:
>
> Hi everyone,
>>
>> Google announced the first SHA1 collision [1]. See [2] for in-depth
>> explanations.
>> It's recommended to migrate to safer cryptographic hashes such as SHA-2
>> or SHA-3 as soon as possible.
>> See [3] for an overview of SHA. SHA-3 was announced as the official new
>> standard [4].
>>
>> Let's discuss how we want to deal with this in OFBiz, any help is greatly
>> appreciated.
>>
>> Best regards,
>> Michael
>>
>> [1] https://security.googleblog.com/2017/02/announcing-first-sha
>> 1-collision.html
>> [2] https://shattered.io/static/shattered.pdf
>> [3] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm
>> [4] https://www.federalregister.gov/documents/2015/08/05/2015-19
>> 181/announcing-approval-of-federal-information-processing-
>> standard-fips-202-sha-3-standard
>>
>>
>
>