mokey icon indicating copy to clipboard operation
mokey copied to clipboard

Published 20 hours ago verified publisher icon ubccr

OTP Tokens are generated using outdated sha1 algorythm

Open zem opened this issue 4 years ago • 4 comments

Is there a particular reason that OTP tokens are generated using sha1 rather than sha256 or sha512?

https://github.com/ubccr/mokey/blob/56aba60d5580a88d4399b41b97dc80f33adcd040/server/otp.go#L172

As sha1 is considered insecure as a hash algorythm, I would suggest to go for sha256.

zem avatar Aug 09 '21 06:08 zem

Agreed, we should probably update this. The reason for using sha1 was that it seems to be the default in FreeIPA and in our testing it was supported by most mobile OTP client applications.

aebruno avatar Aug 09 '21 14:08 aebruno

Hello @aebruno

Do you know if it's still in the pipes to change the default algorythm at least to sha256? (Of course having the choice between sha1/sha256/sha512 could be cool)

Regards,

Jonathan-Caruana avatar Feb 08 '22 17:02 Jonathan-Caruana

@Jonathan-Caruana Yes, it's in the works. Hoping to release a new version of mokey soon.

aebruno avatar Feb 08 '22 18:02 aebruno

@aebruno Glad to read !

I will be attentive for the next version.

Thank you for your quick reply and for your work.

Regards,

Jonathan-Caruana avatar Feb 09 '22 10:02 Jonathan-Caruana