Using predictable/constant cryptographic key when creating and verifing Json Web Token. #143
Comments
|
已收到 ,谢谢
|
|
来信已收到,非常感谢
|
|
Thank you for your advice,I'm very glad to hear from you。
…---Original---
From: ***@***.***>
Date: Tue, Dec 6, 2022 14:25 PM
To: ***@***.***>;
Cc: ***@***.***>;
Subject: [JeffLi1993/springboot-learning-example] Using predictable/constantcryptographic key when creating and verifing Json Web Token. (Issue #143)
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,springboot-learning-example) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: com.dashuai.learning.jwt.utils; Class: JWTUtil.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token. (The key is hard-coded and not have enough strength. It is suggest the length of HMAC key is as long as the length of the output. )
I noticed that your comment mentioned the security issue of the short key, and I suggest that you also add an analysis or hint about the security issue of the hardcoded key.
Using a predictable/constant secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended to use a more secure way to store the secret used to generate the JWT and use a strong enough key to improve the security of the project. (For the hazards of predictable/constant secret, you can refer to CWE-321, NIST Special Publication 800-57).
We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,springboot-learning-example) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: com.dashuai.learning.jwt.utils; Class: JWTUtil.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token. (The key is hard-coded and not have enough strength. It is suggest the length of HMAC key is as long as the length of the output. )
I noticed that your comment mentioned the security issue of the short key, and I suggest that you also add an analysis or hint about the security issue of the hardcoded key.
Using a predictable/constant secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended to use a more secure way to store the secret used to generate the JWT and use a strong enough key to improve the security of the project. (For the hazards of predictable/constant secret, you can refer to CWE-321, NIST Special Publication 800-57).
We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
The text was updated successfully, but these errors were encountered: