Spring Security的BCrypt实现容易受到攻击吗? [英] Is Spring Security's BCrypt implementation vulnerable?

问题描述

我们公司的安全审核发现，我们的bcrypt散列的前缀为"$ 2a $".根据[1]和[2]，这可能表明使用了较旧的，易受攻击的bcrypt实现.

所以-这是我的问题:

1. Spring Security的bcrypt实现是否包含漏洞?
2. Spring Security是否支持"$ 2x $"和"$ 2y $"前缀?

参考文献:
[1] http://blog.ircmaxell. com/2012/12/seven-ways-to-screw-up-bcrypt.html
[2] http://www.openwall.com/lists/oss-security/2011/06/21/16

解决方案

1. 您提供的链接与BCrypt的C实现中的漏洞有关. Spring Security实现是 jBCrypt 的分支，这是用Java编写的另一种实现./p>

2. 查看

A security audit at our company found that the prefix of our bcrypt hashes are "$2a$". According to [1] and [2] this could indicate that an older, vulnerable bcrypt implementation is used.

So - here my questions:

1. Does Spring Security's bcrypt implementation contain the vulnerability?
2. Does Spring Security support the "$2x$" and "$2y$" prefixes?

References:
[1] http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
[2] http://www.openwall.com/lists/oss-security/2011/06/21/16

解决方案

1. The links you provide is about a vulnerability in the C implementation of BCrypt. The Spring Security implementation is a fork of jBCrypt, which is a different implementation written in Java.

2. Looking at the source code, as of version 3.2.5, Spring Security doesn't support "$2x$" and "$2y$" prefixes. The implementation does not contain the C vulnerability but it is not inter-operable with current C based implementation (like PHP).

这篇关于Spring Security的BCrypt实现容易受到攻击吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！