Feature #1961
closedAdd support for different hash functions
Description
Please add support for different hash functions for the token.
A new url could look like this:
<uri-prefix>/<token>/<hash_func>/<timestamp-in-hex>/<rel-path>
<hash_func> could be md5 or sha1 or something else
Updated by icy about 15 years ago
- Priority changed from Normal to Low
To be honest, I don't see any big advantage in this but maybe I am missing something. If so, please speak up :)
Updated by wienczny about 15 years ago
MD5 should be considered broken and should not be used for crypto any more. I don't know of any attack that directly affects the security of your tokens but it makes me feel queasy that a new attack might spit out the secret one day. To be prepared for that, it's better to be able to operate with different hash functions.
I don't want you to discard md5 by now. You could leave it as default when no hash function is given.
Updated by gstrauss over 7 years ago
- Status changed from New to Fixed
- Target version set to 1.4.x
mod_secdownload supports MD5 (the default), as well as HMAC-SHA1 and HMAC-SHA256 since lighttpd 1.4.38
See Docs_ModSecDownload
secdownload.algorithm = <string> ("md5", "hmac-sha1", "hmac-sha256")
It is better to enforce the algorithm used with a server-side config option, rather than to have the client able to specify a (weaker) option.
Updated by gstrauss over 7 years ago
- Target version changed from 1.4.x to 1.4.38
Also available in: Atom