Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password authentication uses obsolete sha-1 #233

Open
rgwch opened this issue Jan 17, 2018 · 1 comment
Open

Password authentication uses obsolete sha-1 #233

rgwch opened this issue Jan 17, 2018 · 1 comment

Comments

@rgwch
Copy link
Contributor

rgwch commented Jan 17, 2018

While trying to understand the new user concept I find something odd with https://github.com/elexis/elexis-3-core/blob/master/ch.rgw.utility/src/ch/rgw/tools/PasswordEncryptionService.java

Sure, one could honestly argue why a password encryption would be so necessary in a pure inhouse database solution, But since we do it...

The referenced article http://java.dzone.com/articles/secure-password-storage-lots states that the NIST recommends SHA1 as hashing algorithm for the HMAC. Well, that was published before Snowden revealed that the NIST was influenced by NSA and sometimes propagated algorithms with a flaw... Today, actually since 2010, SHA1 is as broken as MD5...

So, you'd better use SHA512 for the hmac if you think that Elexis should have a hacker-safe password storage. (which becomes important if doctors start to expose their database to the internet for external access)

It doesn't matter to me since I use a VPN anyway. So I will not propose a patch for that myself.
@col-panic
Copy link
Member

For reference: https://redmine.medelexis.ch/issues/11252

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@col-panic @rgwch