Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-368

Insecure private key and hashing algorithm for update-center.json signing

    Details

    • Similar Issues:

      Description

      Hi Guys,

      I am not jenkins/plugin developer, but I did notice this and I think you should consider it:

      The update center certificate is using algorithms and key-sizes that are nowdays generally considered as insecure.

      RSA length is: 512
      Signature algorithm: RSAwithMD5

      Root certificate could use SHA256 instead:
      RSA length is: 2048
      Signature algorithm: RSAwithSHA1

      Combined with the insecure distribution channel (http) this can lead to very severe security breaches on user sites: Is there any better place to insert implant other than build server?

      For convenience:

      Certificate:
          Data:
              Version: 1 (0x0)
              Serial Number: 3735928565 (0xdeadbef5)
          Signature Algorithm: md5WithRSAEncryption
              Issuer: C=US, ST=California, L=San Jose, O=Jenkins Project, CN=Kohsuke Kawaguchi/emailAddress=kk@kohsuke.org
              Validity
                  Not Before: Jan  4 22:04:01 2015 GMT
                  Not After : Jan  4 22:04:01 2016 GMT
              Subject: C=US, ST=California, O=Jenkins Project, CN=Community Update Center
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (512 bit)
                      Modulus:
                          00:bc:06:31:76:79:cc:c9:11:15:42:47:ec:32:61:
                          8d:5e:3d:a6:14:c8:2e:af:e8:e3:6a:f2:71:e5:68:
                          dc:e8:c7:e2:ab:5c:77:dc:fb:3b:aa:9a:e1:6a:49:
                          47:98:28:3b:db:45:de:df:41:36:f8:8f:f9:47:4d:
                          17:71:40:3e:0b
                      Exponent: 65537 (0x10001)
          Signature Algorithm: md5WithRSAEncryption
               97:a5:cc:23:ff:b1:50:46:55:ca:63:73:d4:ea:fa:61:92:6d:
               96:64:04:1b:87:7d:07:1b:ce:70:30:2c:cb:d4:09:0b:86:20:
               85:56:2d:76:ef:5a:32:d1:af:b3:7d:57:6c:35:f5:85:37:33:
               aa:77:55:b1:94:42:e2:4f:cf:12:91:e3:a1:37:b2:9c:b0:89:
               3f:2a:e2:95:18:0f:f9:49:0a:08:9d:89:5a:94:d6:09:1d:d0:
               92:92:4f:38:ac:c9:f8:51:bc:bb:6d:54:fa:d6:f4:a7:41:d9:
               e9:6f:73:5d:6b:11:47:64:6d:6b:57:c3:26:cf:f1:6a:da:98:
               de:f2:87:48:5f:98:34:6a:61:35:85:cc:1e:2f:84:9a:b6:bf:
               9c:91:4e:58:c4:ca:e7:a1:f2:24:62:31:8f:04:d1:c2:0c:ad:
               ff:0d:4a:12:89:27:aa:1b:6a:db:70:55:11:e5:de:17:fe:67:
               3e:08:76:38:0a:7e:70:c2:4b:e4:f0:e9:c8:97:5e:d9:69:89:
               19:22:72:99:53:c2:50:fc:75:a4:d5:1d:dc:22:66:8c:c2:69:
               30:12:33:08:2e:b7:7a:bf:6e:c5:87:c8:b7:16:31:ab:e1:48:
               60:ae:a8:a3:0b:3e:4f:1a:a3:e6:44:2d:07:69:c8:7f:f7:5d:
               d3:b1:78:77
      

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            R. Tyler Croy Kohsuke Kawaguchi Didn't we fix this a while back due to a Java update? Or was that only the updates.j.o TLS?

            Show
            danielbeck Daniel Beck added a comment - R. Tyler Croy Kohsuke Kawaguchi Didn't we fix this a while back due to a Java update? Or was that only the updates.j.o TLS?
            Hide
            elyscape Eli Young added a comment -

            This remains an issue. The certificate has been improved in that the signature algorithm is now RSAwithSHA256 and the key length is now 1024 bits. Unfortunately, the smallest key size that's generally recommended for RSA keys nowadays is 1300 bits, with most organizations recommending 2048 bits or more.

            Show
            elyscape Eli Young added a comment - This remains an issue. The certificate has been improved in that the signature algorithm is now RSAwithSHA256 and the key length is now 1024 bits. Unfortunately, the smallest key size that's generally recommended for RSA keys nowadays is 1300 bits, with most organizations recommending 2048 bits or more .

              People

              • Assignee:
                Unassigned
                Reporter:
                momcilo Momcilo Majic
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: