OTP Tokens are generated using outdated sha1 algorythm

ubccr / mokey

FreeIPA self-service account management portal

BSD 3-Clause "New" or "Revised" License

191 stars 46 forks source link

OTP Tokens are generated using outdated sha1 algorythm #99

Closed zem closed 1 year ago

zem commented 3 years ago

Is there a particular reason that OTP tokens are generated using sha1 rather than sha256 or sha512?

https://github.com/ubccr/mokey/blob/56aba60d5580a88d4399b41b97dc80f33adcd040/server/otp.go#L172

As sha1 is considered insecure as a hash algorythm, I would suggest to go for sha256.

aebruno commented 3 years ago

Agreed, we should probably update this. The reason for using sha1 was that it seems to be the default in FreeIPA and in our testing it was supported by most mobile OTP client applications.

Jonathan-Caruana commented 2 years ago

Hello @aebruno

Do you know if it's still in the pipes to change the default algorythm at least to sha256? (Of course having the choice between sha1/sha256/sha512 could be cool)

Regards,

aebruno commented 2 years ago

@Jonathan-Caruana Yes, it's in the works. Hoping to release a new version of mokey soon.

Jonathan-Caruana commented 2 years ago

@aebruno Glad to read !

I will be attentive for the next version.

Thank you for your quick reply and for your work.

Regards,