Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firebase uses insecure CC_SHA1 hash algorithm #4326

Closed
ssavchenko opened this issue Nov 15, 2019 · 2 comments
Closed

Firebase uses insecure CC_SHA1 hash algorithm #4326

ssavchenko opened this issue Nov 15, 2019 · 2 comments
Assignees
@charlotteliang
Labels
api: instanceid

Comments

@ssavchenko
Copy link

[READ] Step 1: Are you in the right place?

Yes

[REQUIRED] Step 2: Describe your environment

  • Xcode version: 11.2.1
  • Firebase SDK version: 6.13.0
  • Firebase Component: FirebaseInstanceID
  • Component version: 6.13.0

[REQUIRED] Step 3: Describe the problem

Method

NSData *FIRInstanceIDSHA1(NSData *data)

in FIRInstanceIDKeyPairUtilities.m

uses insecure CC_SHA1 hashing algorithm, while Apple officially considers this algorithm insecure. They state in iOS 13 CryptoKit documentation:

"This hash algorithm isn't considered cryptographically secure, but is provided for backward compatibility with older services that require it. For new services, prefer one of the secure hashes, like SHA512."
@google-oss-bot

This comment has been minimized.

Sign in to view
@charlotteliang charlotteliang self-assigned this Nov 15, 2019
@charlotteliang
Copy link
Contributor

Thank you for bringing to our attention. FIRInstanceIDSHA1 is NOT used for cryptographic purpose for any encryption or decryption. We use this hash method on a public key string to generate a random unique string for instanceID. Firebase does not use this hash method or this public/private key string for any encryption or decryption of our secret data.

We will kick out PR soon to clarify the naming of our method to avoid more confusions. Thanks!
@charlotteliang charlotteliang mentioned this issue Dec 9, 2019
Merged
@firebase firebase locked and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
api: instanceid
4 participants
@paulb777 @ssavchenko @google-oss-bot @charlotteliang