Project

General

Profile

Actions

Feature #1961

closed

Add support for different hash functions

Added by wienczny over 15 years ago. Updated almost 8 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_secdownload
Target version:
ASK QUESTIONS IN Forums:

Description

Please add support for different hash functions for the token.

A new url could look like this:
<uri-prefix>/<token>/<hash_func>/<timestamp-in-hex>/<rel-path>

<hash_func> could be md5 or sha1 or something else

Actions #1

Updated by icy over 15 years ago

  • Priority changed from Normal to Low

To be honest, I don't see any big advantage in this but maybe I am missing something. If so, please speak up :)

Actions #2

Updated by wienczny over 15 years ago

MD5 should be considered broken and should not be used for crypto any more. I don't know of any attack that directly affects the security of your tokens but it makes me feel queasy that a new attack might spit out the secret one day. To be prepared for that, it's better to be able to operate with different hash functions.
I don't want you to discard md5 by now. You could leave it as default when no hash function is given.

Actions #3

Updated by gstrauss about 8 years ago

  • Status changed from New to Fixed
  • Target version set to 1.4.x

mod_secdownload supports MD5 (the default), as well as HMAC-SHA1 and HMAC-SHA256 since lighttpd 1.4.38
See Docs_ModSecDownload

secdownload.algorithm     = <string>  ("md5", "hmac-sha1", "hmac-sha256")

It is better to enforce the algorithm used with a server-side config option, rather than to have the client able to specify a (weaker) option.

Actions #4

Updated by gstrauss almost 8 years ago

  • Target version changed from 1.4.x to 1.4.38
Actions

Also available in: Atom