bcoin Use of Weak Hashing Algorithms (MD5 and SHA1) during Client Initialization

Use of Weak Hashing Algorithms (MD5 and SHA1) during Client Initialization

Open tianjk99 opened this issue 1 year ago • 1 comments

Please check if there is any problem with using weak cryptographic algorithms. The current implementation in the code utilizes the MD5 and SHA1 hash algorithm, which is considered weak and vulnerable to attacks such as collision and preimage attacks. This poses a security risk as it can potentially be exploited by malicious actors to compromise the integrity and confidentiality of the WebSocket communication.

bcoin-master\node_modules\bsock\vendor\faye-websocket.js, line 1462
bcoin-master\node_modules\bsock\vendor\faye-websocket.js, line 2919

Hybi.generateAccept = function(key) { var sha1 = crypto.createHash('sha1'); sha1.update(key + Hybi.GUID); return sha1.digest('base64'); };

` _handshakeSignature: function() { if (this._body.length < this.BODY_SIZE) return null;

var md5    = crypto.createHash('md5'),
    buffer = new Buffer(8 + this.BODY_SIZE);

buffer.writeUInt32BE(this._keyValues[0], 0);
buffer.writeUInt32BE(this._keyValues[1], 4);
new Buffer(this._body).copy(buffer, 8, 0, this.BODY_SIZE);

md5.update(buffer);
return new Buffer(md5.digest('binary'), 'binary');

},`

Nov 30 '23 09:11 tianjk99

#1174

Apr 11 '24 18:04 Sintayew4

bcoin bcoin copied to clipboard

Use of Weak Hashing Algorithms (MD5 and SHA1) during Client Initialization

bcoin
bcoin copied to clipboard