SHA1 cracked .... What are the chances this will be addressed in LC?

Peter TB Brett peter.brett at
Mon Feb 27 05:49:15 EST 2017

On 24/02/2017 18:47, axwald via use-livecode wrote:
> few days ago I read about PHP incorporating a modern crypto lib now:
> Not a specialist regarding this, but wouldn't it be possible to interface
> such?
> @Lagi: The first customer already called to ask if I'd use "this security
> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
> plausibly :)
> Even if I agree with you about the real risk, it would be very bad idea not
> to update any commercial software now. It might even have juristic
> consequences, knowingly using broken crypto?

If you're using SHA-1 to implement an HMAC, you should already be using 
the recommended formulation:

     hmac := hash(key | hash(key | message))

Or, in LiveCode:

     function HmacSha1(pKey, pData)
         return sha1digest(pKey & sha1digest(pKey & pData))
     end HmacSha1

If you are doing this, then the current attack on SHA-1 does not affect 
the security of your system at all [1].


[1] I am not a cryptographer but this is my understanding of the situation.

Dr Peter Brett <peter.brett at>
LiveCode Technical Project Manager

lcb-mode for Emacs:

More information about the use-livecode mailing list