Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MD4 flagged as security issue #82

Closed
rtfmoz2 opened this issue Apr 3, 2022 · 1 comment
Closed

MD4 flagged as security issue #82

rtfmoz2 opened this issue Apr 3, 2022 · 1 comment

Comments

@rtfmoz2
Copy link
Contributor

rtfmoz2 commented Apr 3, 2022

/projects/alpaca/authenticator.go:30:2 package golang.org/x/crypto/md4 is deprecated: MD4 is cryptographically broken and should should only be used where compatibility with legacy systems, not security, is the goal. Instead, use a secure hash like SHA-256 (from crypto/sha256). (SA1019)

Is it too soon to depreciate NTLMv1 support?
@samuong
Copy link
Owner

samuong commented Apr 4, 2022

According to https://en.wikipedia.org/wiki/NT_LAN_Manager#Protocol:

NTLMv2 uses the NT MD4 based one-way function (NTOWF)

Alpaca uses https://github.com/Azure/go-ntlmssp, which only supports NTLMv2 (and not v1). Unfortunately this still requires an MD4-hashed password.

Short of removing NTLM support, I don't think there's much we can do here.

I'm going to close this issue, but feel free to reopen if I've missed something.

@samuong samuong closed this as completed Apr 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samuong @rtfmoz2