Project

General

Profile

Feature #1961

Add support for different hash functions

Added by wienczny over 10 years ago. Updated over 2 years ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
mod_secdownload
Target version:
Start date:
2009-04-13
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Please add support for different hash functions for the token.

A new url could look like this:
<uri-prefix>/<token>/<hash_func>/<timestamp-in-hex>/<rel-path>

<hash_func> could be md5 or sha1 or something else

History

#1

Updated by icy over 10 years ago

  • Priority changed from Normal to Low

To be honest, I don't see any big advantage in this but maybe I am missing something. If so, please speak up :)

#2

Updated by wienczny over 10 years ago

MD5 should be considered broken and should not be used for crypto any more. I don't know of any attack that directly affects the security of your tokens but it makes me feel queasy that a new attack might spit out the secret one day. To be prepared for that, it's better to be able to operate with different hash functions.
I don't want you to discard md5 by now. You could leave it as default when no hash function is given.

#3

Updated by gstrauss over 2 years ago

  • Status changed from New to Fixed
  • Target version set to 1.4.x

mod_secdownload supports MD5 (the default), as well as HMAC-SHA1 and HMAC-SHA256 since lighttpd 1.4.38
See Docs_ModSecDownload

secdownload.algorithm     = <string>  ("md5", "hmac-sha1", "hmac-sha256")

It is better to enforce the algorithm used with a server-side config option, rather than to have the client able to specify a (weaker) option.

#4

Updated by gstrauss over 2 years ago

  • Target version changed from 1.4.x to 1.4.38

Also available in: Atom