search

bcoin-org / bcoin

Javascript bitcoin library for node.js and browsers
https://bcoin.io
Other
2.98k stars 811 forks source link

Use of Weak Hashing Algorithms (MD5 and SHA1) during Client Initialization #1174

Open tianjk99 opened 7 months ago

tianjk99 commented 7 months ago

Please check if there is any problem with using weak cryptographic algorithms. The current implementation in the code utilizes the MD5 and SHA1 hash algorithm, which is considered weak and vulnerable to attacks such as collision and preimage attacks. This poses a security risk as it can potentially be exploited by malicious actors to compromise the integrity and confidentiality of the WebSocket communication.

  1. bcoin-master\node_modules\bsock\vendor\faye-websocket.js, line 1462
  2. bcoin-master\node_modules\bsock\vendor\faye-websocket.js, line 2919

Hybi.generateAccept = function(key) { var sha1 = crypto.createHash('sha1'); sha1.update(key + Hybi.GUID); return sha1.digest('base64'); };

` _handshakeSignature: function() { if (this._body.length < this.BODY_SIZE) return null;

var md5    = crypto.createHash('md5'),
    buffer = new Buffer(8 + this.BODY_SIZE);

buffer.writeUInt32BE(this._keyValues[0], 0);
buffer.writeUInt32BE(this._keyValues[1], 4);
new Buffer(this._body).copy(buffer, 8, 0, this.BODY_SIZE);

md5.update(buffer);
return new Buffer(md5.digest('binary'), 'binary');

},`

Sintayew4 commented 3 months ago

1174