Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 44 subscribers
  • Views 3237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG OTP - Why weak SHA-1 and low encryption length?

Nafets

XG550 (SFOS 19.0.2 MR-2-Build472)

This is specially directed to Sophos:

Hello SOPHOS,

i tried to import a Sophos XG created TOTP into Sophos UTM which is handling reverse proxy functionality with reverse auth including totp (because sophos xg is not able to do totp with reverse auth o.O )

I tried to import the token but UTM is sayin: 

Why there is no chance to change hash algorithm in XG?
Why the created TOTP tokens are that "weak"?

I am tired making comparison to utm but why is utm supporting SHA1, SHA256 and even SHA512 algorithmns for OTP and the NEWER, BETTER, MORE SECURE, undiscontinued product SOPHOS XG can not even handle this basic thing????

Please give me an explanation...

Kind regards,
Nafets



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, this feature request is already raised to enable the support of SHA256 and SHA512 Support for MFA/TOTP, which is valid for future road map of the product - SFSW-I-1003/SFSW-I-1234.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Could you explain to me, why SHA-1 is Weak for OTP? 

    __________________________________________________________________________________________________________________

  • 0

    Obviously you didn't understand how MFA works, otherwise you would know that it doesn't matter which hash function you use to generate your MFA.
    But feel free to use SHA 256/512, it's more secure for MFA and there are even more OTP apps that will support it Face palm tone1

  • 0 in reply to LuCar Toni

    Every auditor asks why the SHA1 (not collision free) is used while SHA2 is available.
    The buzzword is "Stand der Technik".
    Even if the BSI says that SHA1 is acceptable for OTP.
    We have to explain that every time.

    But after Sophos showed in the SG and sophos-authenticator that SHA2 works and SHA2 hardware tokens are available, it would be good to have that in the XG as well.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Quallensaft

    I definitely understand how MFA works. I wanted to figure out here, why the "newer and better" sophos xg is using shorter and "weaker" algorithms than it was implemented in the utm before and why it is not possible to use sophos created things in other sophos products due to a lack of length or something else.

    I dont wanted to say that SHA-1 for OTP is "WEAK" in the sense of BAD.
    If you compare this XG created OTP with the OTP you can get and even import in UTM it is definitely more weak!

    And as Dirk said, there are always a few questions about that from auditors about this thing.

    And to be fair at the end, I dont have the feeling that anything which was requested as feature request will be implemented anyways. Everything is ever planned for a future release. In combination with deleting ideas.sophos.com this gives not a good feeling to the customers.

Unfiltered HTML