Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 44 subscribers
  • Views 3237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG OTP - Why weak SHA-1 and low encryption length?

Nafets

XG550 (SFOS 19.0.2 MR-2-Build472)

This is specially directed to Sophos:

Hello SOPHOS,

i tried to import a Sophos XG created TOTP into Sophos UTM which is handling reverse proxy functionality with reverse auth including totp (because sophos xg is not able to do totp with reverse auth o.O )

I tried to import the token but UTM is sayin: 

Why there is no chance to change hash algorithm in XG?
Why the created TOTP tokens are that "weak"?

I am tired making comparison to utm but why is utm supporting SHA1, SHA256 and even SHA512 algorithmns for OTP and the NEWER, BETTER, MORE SECURE, undiscontinued product SOPHOS XG can not even handle this basic thing????

Please give me an explanation...

Kind regards,
Nafets



This thread was automatically locked due to age.
Parents
  • 0

    Obviously you didn't understand how MFA works, otherwise you would know that it doesn't matter which hash function you use to generate your MFA.
    But feel free to use SHA 256/512, it's more secure for MFA and there are even more OTP apps that will support it Face palm tone1

  • 0 in reply to Quallensaft

    I definitely understand how MFA works. I wanted to figure out here, why the "newer and better" sophos xg is using shorter and "weaker" algorithms than it was implemented in the utm before and why it is not possible to use sophos created things in other sophos products due to a lack of length or something else.

    I dont wanted to say that SHA-1 for OTP is "WEAK" in the sense of BAD.
    If you compare this XG created OTP with the OTP you can get and even import in UTM it is definitely more weak!

    And as Dirk said, there are always a few questions about that from auditors about this thing.

    And to be fair at the end, I dont have the feeling that anything which was requested as feature request will be implemented anyways. Everything is ever planned for a future release. In combination with deleting ideas.sophos.com this gives not a good feeling to the customers.

Reply
  • 0 in reply to Quallensaft

    I definitely understand how MFA works. I wanted to figure out here, why the "newer and better" sophos xg is using shorter and "weaker" algorithms than it was implemented in the utm before and why it is not possible to use sophos created things in other sophos products due to a lack of length or something else.

    I dont wanted to say that SHA-1 for OTP is "WEAK" in the sense of BAD.
    If you compare this XG created OTP with the OTP you can get and even import in UTM it is definitely more weak!

    And as Dirk said, there are always a few questions about that from auditors about this thing.

    And to be fair at the end, I dont have the feeling that anything which was requested as feature request will be implemented anyways. Everything is ever planned for a future release. In combination with deleting ideas.sophos.com this gives not a good feeling to the customers.

Children
No Data
Unfiltered HTML