[prev in list] [next in list] [prev in thread] [next in thread] 

List:       httpclient-commons-dev
Subject:    Re: use of MD5 and security violations
From:       Oleg Kalnichevski <olegk () apache ! org>
Date:       2008-10-28 15:13:39
Message-ID: 1225206819.6034.14.camel () ubuntu
[Download RAW message or body]

On Sat, 2008-10-25 at 13:33 +0200, Oleg Kalnichevski wrote:
> On Fri, 2008-10-24 at 13:45 +0100, sebb wrote:
> > On 24/10/2008, Lovette, Steve <steve.lovette@lmco.com> wrote:
> > > Sebbaz
> > >   From what I have read the use of algorithms that have been shown to be
> > >  breakable become unacceptable. There is literature on the web about
> > >  this. From reading the government NIST web site and the government STIGs
> > >  that recommend only the SHA-x algorithms to be used in sensitive
> > >  applications. MD5 is not a government approved algorithm to be used in
> > >  hashing functions where encryption is involved.
> > 
> > OK, but so what?
> > 
> > >  That said your point about HTTP client may well be the best counter
> > >  point. Since HTTP client runs on the client and the client is always
> > >  suspect then perhaps this is a sufficient argument.
> > 
> > I think you still misunderstand what HC is for.
> > 
> > It is irrelevant where HC runs; the point is that it is a client
> > library, i.e. it talks to servers.
> > 
> > If the server needs MD5 for something, then HC will use that.
> > HC does not use MD5 for its own purposes.
> > 
> 
> Sebastian, et al
> 
> I took a brief look at the DIGEST authentication scheme implementation
> in HttpClient 4.0 and it appears HttpClient will reject a challenge
> unless the specified digest algorithm is either MD5 or MD5-sess. As far
> as I can tell these are two algorithms mentioned in RFC 2617. There is
> no mentioning of SHA-x algorithms in the spec. However, it would
> certainly make sense to ensure HttpClient can support alternative
> digests, if the server requests an algorithm other than MD5 or MD5-sess.
> 
> Steve, 
> 
> If you think the present implementation of DIGEST authentication is not
> secure enough, feel free to open a JIRA for this issue
> 
> https://issues.apache.org/jira/browse/HTTPCLIENT 
> 
> Oleg
> 

DigestScheme can now use an arbitrary digest algorithm requested by the
target server (such SHA) as long as that algorithm is supported by the
Java runtime

Oleg

> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]