Threat Model for the UCP Component of Radius #73
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
9 times, most recently
from
77392cc to
e205a1e
Compare
rynowak
reviewed
Nov 5, 2024
rynowak
reviewed
Nov 5, 2024
nithyatsu
reviewed
Nov 5, 2024
rynowak
reviewed
Nov 5, 2024
lakshmimsft
reviewed
Nov 5, 2024
rynowak
reviewed
Nov 5, 2024
nithyatsu
reviewed
Nov 5, 2024
rynowak
reviewed
Nov 5, 2024
rynowak
reviewed
Nov 5, 2024
nithyatsu
reviewed
Nov 5, 2024
rynowak
reviewed
Nov 5, 2024
nithyatsu
reviewed
Nov 5, 2024
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
2 times, most recently
from
d8aa313 to
61f464f
Compare
ytimocin
requested review from
lakshmimsft,
brooke-hamilton,
nithyatsu and
rynowak
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
from
61f464f to
d452384
Compare
brooke-hamilton
approved these changes
Nov 20, 2024
rynowak
reviewed
Nov 21, 2024
rynowak
reviewed
Nov 21, 2024
rynowak
reviewed
Nov 21, 2024
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
8 times, most recently
from
4bc32b1 to
50d60b1
Compare
rynowak
reviewed
Nov 26, 2024
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
2 times, most recently
from
5478b11 to
1df91f9
Compare
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
2 times, most recently
from
7482de9 to
497f438
Compare
rynowak
reviewed
Dec 9, 2024
|
|
||
| #### Threat: A Malicious Actor Could Exploit SHA-1 Weaknesses to Generate Hash Collisions | ||
|
|
||
| **Description:** A malicious actor could exploit the known vulnerabilities of the SHA-1 hashing algorithm to generate hash collisions. The UCP currently uses SHA-1 for hashing resource IDs and generating ETags. Although SHA-1 is not used in security-sensitive contexts, its vulnerabilities could still be exploited to create hash collisions, potentially leading to data integrity issues. |
There was a problem hiding this comment.
I don't understand why this is a security threat. It's too vague.
There was a problem hiding this comment.
Please be more specific. A malicious user could do X to achieve Y. Y should be grounded in one of these: https://en.wikipedia.org/wiki/STRIDE_model
rynowak
reviewed
Dec 9, 2024
rynowak
reviewed
Dec 9, 2024
Signed-off-by: ytimocin <[email protected]>
ytimocin
force-pushed
the
ytimocin/tms/ucp
branch
from
497f438 to
d139693
Compare
rynowak
approved these changes
Dec 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Threat Model for the UCP Component of Radius