Spring Security的BCrypt实现容易受到攻击吗? [英] Is Spring Security's BCrypt implementation vulnerable?
问题描述
我们公司的安全审核发现,我们的bcrypt散列的前缀为"$ 2a $".根据[1]和[2],这可能表明使用了较旧的,易受攻击的bcrypt实现.
所以-这是我的问题:
- Spring Security的bcrypt实现是否包含漏洞?
- Spring Security是否支持"$ 2x $"和"$ 2y $"前缀?
参考文献:
[1] http://blog.ircmaxell. com/2012/12/seven-ways-to-screw-up-bcrypt.html
[2] http://www.openwall.com/lists/oss-security/2011/06/21/16
-
您提供的链接与BCrypt的C实现中的漏洞有关. Spring Security实现是 jBCrypt 的分支,这是用Java编写的另一种实现./p>
A security audit at our company found that the prefix of our bcrypt hashes are "$2a$". According to [1] and [2] this could indicate that an older, vulnerable bcrypt implementation is used.
So - here my questions:
- Does Spring Security's bcrypt implementation contain the vulnerability?
- Does Spring Security support the "$2x$" and "$2y$" prefixes?
References:
[1] http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
[2] http://www.openwall.com/lists/oss-security/2011/06/21/16
The links you provide is about a vulnerability in the C implementation of BCrypt. The Spring Security implementation is a fork of jBCrypt, which is a different implementation written in Java.
Looking at the source code, as of version 3.2.5, Spring Security doesn't support "$2x$" and "$2y$" prefixes. The implementation does not contain the C vulnerability but it is not inter-operable with current C based implementation (like PHP).
这篇关于Spring Security的BCrypt实现容易受到攻击吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!