search

MohGovIL / hamagen-react-native

Israel's Ministry of Health's COVID-19 Exposure Prevention App
https://health.gov.il/
MIT License
508 stars 153 forks source link

Salt hash on BSSID with public-prefix to avoid corelation with other sources #272

Closed emanuelb closed 3 years ago

emanuelb commented 4 years ago

See issue #271 for additonal details. sha1 is used on BSSID without applying salting, thus correlation is possible with sources:

  1. collections of bssids (just hash them, check if it's matched to what stored on the device)
  2. collections of bssids which use the same algorithm (such as another app who use sha1(bssids) and leaks it to server-side)

Thus its better to salt them with public prefix such as: sha256('hamagenapp' + bssid) which will avoid the second possible correlation (as only hamagen app will use hamagenapp prefix), and increase the cost required for building rainbowtable (it will apply only for hamagen app)

Depending on the intended usage of this feature it might be possible to add in addition a unique prefix as well.

kaplanlior commented 3 years ago

The file with the code mentioned here was removed at 4ff7b4815801abac19a8f5c71cf91a317d1e12b9