[Repoze-dev] auth_tkt: enable overriding digest algorithms

14 views
Skip to first unread message

Jan Pokorný

unread,
Mar 2, 2012, 8:48:18 AM3/2/12
to paste...@googlegroups.com, repoz...@lists.repoze.org
Hello,

currently, original mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5. Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly
applicable to mod_auth_tkt, which primarily relies on the security
of the shared secret rather than the strength of the hashing scheme.
More paranoid users will probably prefer to use one of the SHA digest
types, however.

The default is likely to change in a future version, so setting the
digest type explicitly is encouraged.
----^----

I've made a modification to Paste's auth_tkt auth module to allow
overriding of default MD5 digest:

https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f

Is the proposed change likely to be accepted?

I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also
benefit from this change (is the change integration-ready?).

[1] http://linux.die.net/man/3/mod_auth_tkt

Thanks,
Jan
_______________________________________________
Repoze-dev mailing list
Repoz...@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Jan Pokorný

unread,
Mar 5, 2012, 3:24:32 PM3/5/12
to paste...@googlegroups.com, ianbi...@gmail.com, repoz...@lists.repoze.org
On 02/03/12 14:48 +0100, Jan Pokorný wrote:
>Hello,
>
>currently, original mod_auth_tkt supports also SHA256 and SHA 512 [1],
>not just plain MD5. Quoting:
>
>----v----
>The default is MD5, which is faster, but has now been shown to be
>vulnerable to collision attacks. Such attacks are not directly
>applicable to mod_auth_tkt, which primarily relies on the security
>of the shared secret rather than the strength of the hashing scheme.
>More paranoid users will probably prefer to use one of the SHA digest
>types, however.
>
>The default is likely to change in a future version, so setting the
>digest type explicitly is encouraged.
>----^----
>
>I've made a modification to Paste's auth_tkt auth module to allow
>overriding of default MD5 digest:
>
>https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f
>

Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).

The new version:
https://bitbucket.org/jnpkrn/paste/changeset/69404df8a13d (branch v2)

Any more comments or is it ready for pull request?

Tres Seaver

unread,
Mar 5, 2012, 3:50:43 PM3/5/12
to Jan Pokorný, repoz...@lists.repoze.org, paste...@googlegroups.com, ianbi...@gmail.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2012 03:24 PM, Jan Pokorný wrote:
> On 02/03/12 14:48 +0100, Jan Pokorný wrote:
>> Hello,
>>
>> currently, original mod_auth_tkt supports also SHA256 and SHA 512
>> [1], not just plain MD5. Quoting:
>>
>> ----v---- The default is MD5, which is faster, but has now been
>> shown to be vulnerable to collision attacks. Such attacks are not
>> directly applicable to mod_auth_tkt, which primarily relies on the
>> security of the shared secret rather than the strength of the
>> hashing scheme. More paranoid users will probably prefer to use one
>> of the SHA digest types, however.
>>
>> The default is likely to change in a future version, so setting the
>> digest type explicitly is encouraged. ----^----
>>
>> I've made a modification to Paste's auth_tkt auth module to allow
>> overriding of default MD5 digest:
>>
>> https://bitbucket.org/jnpkrn/paste/changeset/5499c61eb27f
>>
>
> Update (based Ian's comments): The algorithm can also be specified as
> a string referring to the algorithm known to hashlib (otherwise
> AttributeError will be raised).
>
> The new version:
> https://bitbucket.org/jnpkrn/paste/changeset/69404df8a13d (branch v2)
>
> Any more comments or is it ready for pull request?
>
>> I am CC'ing repoze-dev as repoze.who.plugins.auth_tkt could also
>> benefit from this change (is the change integration-ready?).

Assuming a new release of paste becomes available supporting this
feature, I have no problem extending the r.who plugin to expose it.


Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tse...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9VJyIACgkQ+gerLs4ltQ4FugCePlj2dDmCpWWnu5DU3EseSu2Y
2lsAoKSjpZAntc56fOMd/wvcG/oj7ol6
=PyRv
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages