After change keys, tyk Failed to verify value correctly

Dear all,
I have found a bug for tyk verify key in my test case.
I create one api(TestOauth-key1) of the Authentication mode is “Auth Token”, then create a api key add the my api(TestOauth-key1) to Access right. generat the key value is:5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711

case 1: use the correct key to request API data,
curl -X GET -H ‘Authorization: 5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711’ -i ’
Response successful, 200.

case 2: change the key value add 3 digits at the end, the value as:5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711389
then request the API(testoauth-key1) data as:

[root@localhost ~]# curl -X GET -H ‘Authorization: 5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711389’ -i ‘
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Length: 342
Content-Type: application/json
Date: Fri, 07 Dec 2018 04:29:17 GMT
Server: gunicorn/19.9.0
Via: 1.1 vegur
X-Ratelimit-Limit: -1
X-Ratelimit-Remaining: -1
X-Ratelimit-Reset: 1544156500

“args”: {},
“headers”: {
“Accept”: “/”,
“Accept-Encoding”: “gzip”,
“Authorization”: “5b6a9a6ae138230df675f3c00cf3d74a183c40e48a7ecd403fd74711389”,
“Connection”: “close”,
“Host”: “”,
“User-Agent”: “curl/7.29.0”
“origin”: “,”,
“url”: “

This is a bug of verify key value when request API data. I want to know which mechanism you use to verify the key ?This mechanism is currently vulnerable and is not safe for our API data.


You can configure which hashing algorithm you use for the keys in Tyk Tyk Gateway v2.7 we reccomend at least murmur64

There is unfortunately a vulnerability in the underlying murmur32 library for that hashing algorithm and it is being phased out.


Thank you of you reply. I use tyk gateway is v2.7. when set the “hash_keys” to false in the tyk.conf file, then can verify key correct.