tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Minoo Hamilton <mi...@forkbolt.net>
Subject Why are manager session tokens generated with MD5 by default?
Date Fri, 29 Aug 2008 00:17:51 GMT
Greetings Tomcat Developers,
  I am a security researcher who has recently been getting into Apache 
Tomcat security hardening.  Forgive me if my failed attempt to find the 
answer to this question has brought me prematurely to this list.  I've 
been trying to figure out why the Apache Tomcat 6 Manager component 
defaults to using the MD5 hash algorithm for session token creation.  It 
has long been seen as a questionable hash algorithm due to known 
collisions.  Why not use SHA-1 by default, instead?  Has anybody looked 
at SecureRandom which uses SHA-1?  I assume eventually this should be 
SHA-2, as SHA-1 is coming under increasing fire, as well.

From: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html

|algorithm|

Name of the /Message Digest/ algorithm used to calculate session 
identifiers produced by this Manager. This value must be supported by 
the |java.security.MessageDigest| class. If not specified, the default 
value is "MD5".

http://en.wikipedia.org/wiki/Md5
http://en.wikipedia.org/wiki/Sha-1
http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html

Any insights would be appreciated.

Thanks,
Minoo Hamilton


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message