SHA1 cracked .... What are the chances this will be addressed in LC?
Lagi Pittas
iphonelagi at gmail.com
Thu Mar 2 05:35:34 EST 2017
Excellent points Axwald especially the last paragraph.
Happy Happy Happy Fun Fun Fun!! ;-)
On 2 March 2017 at 10:20, axwald via use-livecode <
use-livecode at lists.runrev.com> wrote:
> Hi,
>
>
> Dr Peter Brett wrote
> > On 24/02/2017 18:47, axwald via use-livecode wrote:
> > [...]
> >> Not a specialist regarding this, but wouldn't it be possible to
> interface
> >> such?
> >>> https://github.com/jedisct1/libsodium
> >>
> >> @Lagi: The first customer already called to ask if I'd use "this
> security
> >> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
> >> [...]
> >
> > If you're using SHA-1 to implement an HMAC, you should already be using
> > the recommended formulation:
> >
> > hmac := hash(key | hash(key | message)) [...]
>
> What I meant mentioning the "LibHash-Hmac" lib is that it contains a
> "sha256digest" function already that is, to my understanding at least, a
> SHA2 implementation. And that it's not only about the real danger of having
> one's hash cracked, it's more about the publicity this crack received, and
> the nosy questions that are coming in now from customers that read about it
> in the news. And, for sure, will never understand any detailed explanation.
>
> The other thing, about libsodium, was the idea not to roll our own crypto
> code, but instead to interface a commonly used, audited, verified &
> accepted
> open source crypto library. And just provide the wrapper as a plugin.
> No idea if such would be possible - this is beyond my knowledge. But for
> real security sensitive coding there's no way but to use audited code
> anyways. It would be a great benefit to have such available in LiveCode,
> IMHO.
>
> Another benefit would be that such a wrapper plugin could be made available
> not only for the most bleeding edge versions of LC - so that commercial
> coders that are forced to use more settled versions for speed, productivity
> & reliability are not left out in the dark & cold, again.
>
> Have fun!
>
>
>
> -----
> • Livecode programming until the cat hits the fan •
> --
> View this message in context: http://runtime-revolution.
> 278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-
> this-will-be-addressed-in-LC-tp4712554p4712777.html
> Sent from the Revolution - User mailing list archive at Nabble.com.
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
More information about the use-livecode
mailing list