For Review: Security enhancements for nopCommerce 3.90

3 years ago
Hello everyone,

There has been some talk in the past about improving hash and encryption methods used in nopCommerce.  Over the past few days, I have worked on a solution that will work with the next version of nop, 3.90.
You can see the commit here:

I made the focus of this on new installations of nop since there was a pretty hard dependency on everything using sha1/3des out of the gate.  More so, this would likely break plugins that have existing data encrypted or hashed, so too many unknowns in my opinion to backport this.

Here's a recap of the changes:
- Stronger default hashes
- Stronger default encryption key
- Select hash and encryption at install time
- Add more unit tests for hash and encryption
- NopDropdownListFor support on installation page (kind of)

The reasons why I made these changes:
SHA1 is on the way out and we should be using some form of SHA2, either 256 or 512.
Unless I'm mistaken, 3DES is only used in 112 bit mode with nop since the keysize reports itself to be 128 bits.
There was a hard dependency in the system for 3DES.  The encryption service now mostly works seamlessly with any algorithm that inherits from the SymmetricAlgorithm class.
The default encryption key size is a 16 digit sequence which I feel makes it vulnerable to brute force attacks.  The new encryption key is a 32 character alphanumeric sequence.
Salts are now 16 bytes instead of 5.

If anyone finds value in this or thinks improvements should be made, please let me know.  If it is all good, I can put together a merge request on GitHub.
3 years ago
Thanks a lot for this contribution! This work item (very similar) already exists. I've just updated it and included your suggestions.

Could you please make a pull request?
3 years ago
Hello Andrei,

I have created a pull request, located here:
If anything else should be done with this feature set, please let me know.