Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce more secure XML encryption #584

Merged
merged 1 commit into from May 10, 2021

Conversation

cjbarth
Copy link
Collaborator

@cjbarth cjbarth commented Apr 28, 2021

Add newer encryption algorithms and remove insecure ones.

Checklist:

Add newer encryption algorithms and remove insecure ones.
@cjbarth cjbarth linked an issue Apr 28, 2021 that may be closed by this pull request
@cjbarth cjbarth added this to the 3.0.0 milestone Apr 28, 2021
@markstos
Copy link
Contributor

Here's a reference to Triple DES being considered insecure now:
https://security.stackexchange.com/questions/146710/is-the-3des-algorithm-secure

Here's a reference about AES 256 GCM being considered secure:
https://security.stackexchange.com/questions/184305/why-would-i-ever-use-aes-256-cbc-if-aes-256-gcm-is-more-secure

And regarding the final addition, AES-128-GCM, this reference says it's preferable in some cases over AES-256-GCM for performance reasons:

https://crypto.stackexchange.com/questions/77750/why-gcm-operation-mode-with-aes-128-is-recomended-and-can-we-use-aes-192-and-aes

Given the above, I approve this for 3.0.0, which is making other breaking changes anyway.

@markstos markstos requested review from markstos and gugu May 10, 2021 18:06
@cjbarth cjbarth merged commit 8d35454 into node-saml:master May 10, 2021
3 checks passed
@cjbarth cjbarth deleted the updated-xml-encryption branch May 10, 2021 19:18
@cjbarth cjbarth added the semver-major This change requires at least a semver-major version bump label May 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
semver-major This change requires at least a semver-major version bump
Projects
None yet
Development

Successfully merging this pull request may close these issues.

better integration with xml-encryption 1.1.0 release
2 participants