For Review: Security enhancements for nopCommerce 3.90

Posted: August 08, 2016 at 5:34 PM Quote #173083
Hello everyone,

There has been some talk in the past about improving hash and encryption methods used in nopCommerce.  Over the past few days, I have worked on a solution that will work with the next version of nop, 3.90.
You can see the commit here:
https://github.com/f1ana/nopCommerce/commit/85ee625f2059519e7a5e0251d9d7484af2d356a9

I made the focus of this on new installations of nop since there was a pretty hard dependency on everything using sha1/3des out of the gate.  More so, this would likely break plugins that have existing data encrypted or hashed, so too many unknowns in my opinion to backport this.

Here's a recap of the changes:
- Stronger default hashes
- Stronger default encryption key
- Select hash and encryption at install time
- Add more unit tests for hash and encryption
- NopDropdownListFor support on installation page (kind of)

The reasons why I made these changes:
SHA1 is on the way out and we should be using some form of SHA2, either 256 or 512.
Unless I'm mistaken, 3DES is only used in 112 bit mode with nop since the keysize reports itself to be 128 bits.
There was a hard dependency in the system for 3DES.  The encryption service now mostly works seamlessly with any algorithm that inherits from the SymmetricAlgorithm class.
The default encryption key size is a 16 digit sequence which I feel makes it vulnerable to brute force attacks.  The new encryption key is a 32 character alphanumeric sequence.
Salts are now 16 bytes instead of 5.

If anyone finds value in this or thinks improvements should be made, please let me know.  If it is all good, I can put together a merge request on GitHub.
This post/answer is useful
6
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
- c
Posted: August 08, 2016 at 11:47 PM Quote #173101
Thanks a lot for this contribution! This work item (very similar) already exists. I've just updated it and included your suggestions.

Could you please make a pull request?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: August 09, 2016 at 9:06 PM Quote #173173
Hello Andrei,

I have created a pull request, located here:  https://github.com/nopSolutions/nopCommerce/pull/1664
If anything else should be done with this feature set, please let me know.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
- c
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2019
Learn more