Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 94253 invoked from network); 6 Jan 2009 00:08:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Jan 2009 00:08:37 -0000 Received: (qmail 30471 invoked by uid 500); 6 Jan 2009 00:08:32 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 30428 invoked by uid 500); 6 Jan 2009 00:08:32 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 30417 invoked by uid 99); 6 Jan 2009 00:08:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Jan 2009 16:08:32 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [193.252.22.152] (HELO smtp5.freeserve.com) (193.252.22.152) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Jan 2009 00:08:22 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3424.me.freeserve.com (SMTP Server) with ESMTP id A617B1C00084 for ; Tue, 6 Jan 2009 01:08:00 +0100 (CET) Received: from smtp.homeinbox.net (unknown [91.109.168.164]) by mwinf3424.me.freeserve.com (SMTP Server) with ESMTP id 657331C00083 for ; Tue, 6 Jan 2009 01:08:00 +0100 (CET) X-ME-UUID: 20090106000800415.657331C00083@mwinf3424.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 40C0F1A47D0 for ; Tue, 6 Jan 2009 00:09:30 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server01.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zzYiYyHT-lA for ; Tue, 6 Jan 2009 00:09:26 +0000 (GMT) Received: from [192.168.0.9] (study03.dev.local [192.168.0.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id F01381A47CC for ; Tue, 6 Jan 2009 00:09:25 +0000 (GMT) Message-ID: <4962A0CF.1060001@apache.org> Date: Tue, 06 Jan 2009 00:07:43 +0000 From: Mark Thomas User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Why are manager session tokens generated with MD5 by default? References: <48B7402F.6090109@forkbolt.net> <48B74DDF.5020703@joedog.org> <49627AFD.8080905@forkbolt.net> <49629F37.8000107@hanik.com> In-Reply-To: <49629F37.8000107@hanik.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Filip Hanik - Dev Lists wrote: > you don't need to lobby, simply create a patch in Bugzilla Although it is likely to get ignored / end up as WONTFIX. I don't see what the security issue is here. How does an MD5 collisions affect the security of the session ID? Mark > > Minoo Hamilton wrote: >> I'd like to re-raise an issue, since I didn't get too much of a >> response, originally. Who can I talk to to lobby to get the default >> behavior of using MD5 session token hashes to change? If you weren't >> aware of it, there has been a recent and highly-publicized breaking of >> SSL, by creating a rogue certificate authority, using collisions in >> MD5. Creating collisions in MD5 are no longer a "highly theoretical" >> attack for potential session hijacking. I'd very much like to see the >> default behavior of Tomcat session tokens become more secure by >> default (possibly SHA-256). I think the default hashing algorithm >> should not be a known broken and insecure one. >> >> MD5 considered harmful today >> Creating a rogue CA certificate >> >> http://www.win.tue.nl/hashclash/rogue-ca/ >> >> Any thoughts? >> >> Thanks, >> Minoo Hamilton >> >> >> Tim Funk wrote: >>> It is probably due to old code which works just fine when SHA might >>> not have been "easily available" in all JVM's. (back in 2002?) >>> >>> So a quick recap for folks ... a session id is generated by >>> 1) Getting a random number >>> 2) Hashing it >>> 3) Converting the hashed bytes to something text [base64] so they fit >>> in a cookie without extra work >>> >>> Steps 1-3 are repeated until enough chars are present for the >>> configured session ID length. >>> >>> So if an attacker *could* get reverse of the hash - it would be a >>> random number. SessionId length is configurable - so you could change >>> your session length to be larger so that mulitple random numbers >>> become digested. And then keep the session length small enough so >>> that next hash is not completely concatenated into the id. So at best >>> the attack has a one full hash plus part of a another hash to work >>> with. (As of this writing - I cant recall how times digest is called >>> by default so I'm not sure if a single full hash is in the session >>> id, or part of one, or multiples) >>> >>> *** BUT *** If the random number and entropy to get the random number >>> are "good enough" - hashing is already overkill. But in the case >>> where the entropy and random number generator are "bad" - hashing >>> provides another line of defense against determining the current >>> random number and then being able to guess the next random number. >>> >>> >>> -Tim >>> >>> Minoo Hamilton wrote: >>>> Greetings Tomcat Developers, >>>> I am a security researcher who has recently been getting into >>>> Apache Tomcat security hardening. Forgive me if my failed attempt >>>> to find the answer to this question has brought me prematurely to >>>> this list. I've been trying to figure out why the Apache Tomcat 6 >>>> Manager component defaults to using the MD5 hash algorithm for >>>> session token creation. It has long been seen as a questionable >>>> hash algorithm due to known collisions. Why not use SHA-1 by >>>> default, instead? Has anybody looked at SecureRandom which uses >>>> SHA-1? I assume eventually this should be SHA-2, as SHA-1 is coming >>>> under increasing fire, as well. >>>> >>>> From: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html >>>> >>>> |algorithm| >>>> >>>> Name of the /Message Digest/ algorithm used to calculate session >>>> identifiers produced by this Manager. This value must be supported >>>> by the |java.security.MessageDigest| class. If not specified, the >>>> default value is "MD5". >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: dev-help@tomcat.apache.org >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: dev-help@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org