问题
A security audit at our company found that the prefix of our bcrypt hashes are "$2a$". According to [1] and [2] this could indicate that an older, vulnerable bcrypt implementation is used.
So - here my questions:
- Does Spring Security's bcrypt implementation contain the vulnerability?
- Does Spring Security support the "$2x$" and "$2y$" prefixes?
References:
[1] http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
[2] http://www.openwall.com/lists/oss-security/2011/06/21/16
回答1:
The links you provide is about a vulnerability in the C implementation of BCrypt. The Spring Security implementation is a fork of jBCrypt, which is a different implementation written in Java.
Looking at the source code, as of version 3.2.5, Spring Security doesn't support "$2x$" and "$2y$" prefixes. The implementation does not contain the C vulnerability but it is not inter-operable with current C based implementation (like PHP).
来源:https://stackoverflow.com/questions/29740597/is-spring-securitys-bcrypt-implementation-vulnerable