You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jenkins.util.JSONSignatureValidator#verifySignature(), line 81
Risk
The hashing algorithm used, SHA1, has been found by researchers to be unsafe for protecting
sensitive data with today's technology.
Recommendation to fix this finding
Cryptography is hard. There are lots of little mistakes you can make in your cryptosystem that can leak information, or
worse - but choosing a known unsafe hashing algorithm can be a big mistake. This is why we wanted to alert you to the presence
of a hashing algorithm being used that doesn't meet our standards.
Obviously, there are lots of times when a hashing algorithm like MD5 or SHA-1 is used in a way that doesn't represent realistic
risk to your organization. However, if you find yourself needing to switch hashing algorithms, doing it in the code is
very easy; data migration is a much bigger problem. Here's code that gets a http://en.wikipedia.org/wiki/MD5$$LINK_DELIM$$MD5
digester, which is considered broken by today's standards because it's not nearly as collision-resistant as
once thought:
Attacks against unsafe digests are more than theoretical; undirected collisions can be found on an average laptop in a few
seconds. Directed collisions can be generated with relatively modest resources. That being said, all practical attacks would seem
to require cryptographers of rare quality and the resources of a mid-large sized organization. Therefore, you should carefully
decide how likely you are to face such an attack when estimating the severity of this issue.
There is a common saying in cryptography (attributed to the NSA), "Attacks always get better; they never get worse."
Make your cryptographic design accordingly!
The text was updated successfully, but these errors were encountered:
Trace UUID: CGPQ-L8IQ-5ON4-X9MI
https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/f7ea7169-d4eb-42c4-b32e-5c0ea0ca9733/vulns/CGPQ-L8IQ-5ON4-X9MI/overview
Description
The code:
Risk
The hashing algorithm used, SHA1, has been found by researchers to be unsafe for protecting
sensitive data with today's technology.
Recommendation to fix this finding
Cryptography is hard. There are lots of little mistakes you can make in your cryptosystem that can leak information, or
worse - but choosing a known unsafe hashing algorithm can be a big mistake. This is why we wanted to alert you to the presence
of a hashing algorithm being used that doesn't meet our standards.
Obviously, there are lots of times when a hashing algorithm like MD5 or SHA-1 is used in a way that doesn't represent realistic
risk to your organization. However, if you find yourself needing to switch hashing algorithms, doing it in the code is
very easy; data migration is a much bigger problem. Here's code that gets a http://en.wikipedia.org/wiki/MD5$$LINK_DELIM$$MD5
digester, which is considered broken by today's standards because it's not nearly as collision-resistant as
once thought:
The following code retrieves a http://en.wikipedia.org/wiki/SHA-2$$LINK_DELIM$$SHA-256 cipher, which is
considered much stronger for many reasons (including a 256-bit hash, which is less likely to fall victim
to a http://en.wikipedia.org/wiki/Birthday_attack$$LINK_DELIM$$birthday attack ):
Attacks against unsafe digests are more than theoretical; undirected collisions can be found on an average laptop in a few
seconds. Directed collisions can be generated with relatively modest resources. That being said, all practical attacks would seem
to require cryptographers of rare quality and the resources of a mid-large sized organization. Therefore, you should carefully
decide how likely you are to face such an attack when estimating the severity of this issue.
There is a common saying in cryptography (attributed to the NSA), "Attacks always get better; they never get worse."
Make your cryptographic design accordingly!
The text was updated successfully, but these errors were encountered: