SHA1 cracked .... What are the chances this will be addressed in LC?

axwald axwald at
Thu Mar 2 05:20:30 EST 2017


Dr Peter Brett wrote
> On 24/02/2017 18:47, axwald via use-livecode wrote:
> [...]
>> Not a specialist regarding this, but wouldn't it be possible to interface
>> such?
>> @Lagi: The first customer already called to ask if I'd use "this security
>> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
>> [...]
> If you're using SHA-1 to implement an HMAC, you should already be using 
> the recommended formulation:
>      hmac := hash(key | hash(key | message)) [...]

What I meant mentioning the "LibHash-Hmac" lib is that it contains a
"sha256digest" function already that is, to my understanding at least, a
SHA2 implementation. And that it's not only about the real danger of having
one's hash cracked, it's more about the publicity this crack received, and
the nosy questions that are coming in now from customers that read about it
in the news. And, for sure, will never understand any detailed explanation.

The other thing, about libsodium, was the idea not to roll our own crypto
code, but instead to interface a commonly used, audited, verified & accepted
open source crypto library. And just provide the wrapper as a plugin.
No idea if such would be possible - this is beyond my knowledge. But for
real security sensitive coding there's no way but to use audited code
anyways. It would be a great benefit to have such available in LiveCode,

Another benefit would be that such a wrapper plugin could be made available
not only for the most bleeding edge versions of LC - so that commercial
coders that are forced to use more settled versions for speed, productivity
& reliability are not left out in the dark & cold, again.

Have fun!

• Livecode programming until the cat hits the fan •
View this message in context:
Sent from the Revolution - User mailing list archive at

More information about the use-livecode mailing list