Increase hashing capabilities from SHA1(vulnerable) to SHA256 or higher

[anthonykapiti]

Is your feature request related to a problem? Please describe.

It has been made clear by the industry at IBM that SHA1 is suspect in its partial security weaknesses and causes applications that use the box sdk to fail app scan testing as the box sdk is not secure enough and needs safer hashes.

Describe the solution you'd like

Box needs to add SHA256 and SHA512 compatibility so the sdk can be classified as safe and not cause vulnerabilities for companies such as IBM that use the sdk

Describe alternatives you've considered

No clear alternative yet as my entire application works on the box sdk

Additional context

This is a high priority item and should be remedied as soon as possible to make the box sdk secure again

[arjankowski]

Hi @anthonykapiti,

Thanks for submitting this issue! We will take a look and get back to you ASAP!

@arjankowski

[arjankowski]

Hi @anthonykapiti

Thanks again for submitting this issue.

In our SDK we are not using SHA1 for any cryptography, but just for calculating digest for some data like file. This SHA1 digest should be treated as an ordinary data, which can be used to compare the contents of a file on Box with a local file.

As you can see in this link, SHA1 is a digest which is using globally by box platform.
So if it still very important to you to change SHA1 in Box APIs, you should post your request https://support.box.com/ as this is not SDK specific issue. Then the right people will answer you and direct your request to the right place.

@arjankowski