Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security authentication management vulnerability

Tags:

java

security

spring

spring-security

Spring documentation says that remember me is implemented by storing following information in cookie -

base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))

I have following confusions -

  1. Why use an unsecure hash like MD5 to digest the information instead of using SHA-1 or SHA-2. Would the performance hit from these be significant for such a small piece of information?

  2. Why transmit this information over the network at all? Why not maintain a map of cryptographically secure random number and this info on the server, returning only the map key as a cookie. AFAIK this is the approach used by Servlet API and is deemed more secure.

like image 662
Kshitiz Sharma Avatar asked Apr 20 '12 05:04

Kshitiz Sharma

1 Answers

Lets begin with the second question because it is the more relevant one:

second question "Why transmit the password over the network at all...." answer:

Because what you described is only the Simple Hash-Based Token Approach

If you scroll down the page Spring Security Reference: Chapter 10 Remember-Me Authentication you will see that spring security can also use a different remember me approaches: Chapter 10.3 Persistent Token Approach. And this is what you suggested in your second question.

first question: Short answer to "Would the performance hit from these be significant for such a small piece of information?" - No

So if you want to use the Simple Hash-Based Token Approach and feel that MD5 is to unsecured, then you can subclass TokenBasedRememberMeService [javadoc] and override the String makeTokenSignature(long tokenExpiryTime, String username, String password) method. For example (untested)

protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
    String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();
    MessageDigest digest;
    try {
        digest = MessageDigest.getInstance("SHA-256");
    } catch (NoSuchAlgorithmException e) {
        throw new IllegalStateException("No SHA-256 algorithm available!");
    }

    return new String(Hex.encode(digest.digest(data.getBytes())));
}
like image 144
Ralph Avatar answered Nov 04 '22 01:11

Ralph
Sign in to Comment

Related questions

java - How to create an instance of generic type T
An interesting Google interview algorithm I found online that requires linear time [closed]
Fastest way to generate all binary strings of size n into a boolean array?
MyBatis - defining a global parameter
Which payment system has good integration with Java?
Java JTable detect Column re-sized by user
Putting into a Map<String, ?>
How Eclipse terminate a running program?
Enforcing java annotations at compile time
Quartz scheduler max thread count property
Can C++ call Java code?
Java7 sqljdbc4 - SQL error 08S01 on getConnection()
Is the '.' for member access considered an operator in Java?
XML Schema: replacing imports with corresponding schema
Specifying the field naming policy for Jackson
Spring @Autowired @Lazy
How I can extract the RandomForest from R for use in production?
How can I find Saturdays and Sundays in A given month?
Can't run Java example for Selenium / WebDriver
Anti-hack solution for a secret key in Android app?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!