You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses, and one was within this project.
The class PaymentGatewayTamperProofSealServiceImpl [2] uses HmacSHA1 as a parameter to the initialization of the class SecretKeySpec. By now, it is possible to have collisions with SHA1 and thus are not considered secure any longer. Therefore, one should not use it any longer when one can not guarantee that the private key stays private. Instead, more modern algorithms like HmacSHA256, HmacSHA384, HmacSHA512 should be used.
I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses, and one was within this project.
[1] https://github.com/CROSSINGTUD/CryptoAnalysis
[2] https://sourcegraph.com/github.com/BroadleafCommerce/BroadleafCommerce/-/blob/common/src/main/java/org/broadleafcommerce/common/payment/service/PaymentGatewayTamperProofSealServiceImpl.java?L44
The text was updated successfully, but these errors were encountered: