SHA1 cracked .... What are the chances this will be addressed in LC?
Peter TB Brett
peter.brett at livecode.com
Mon Feb 27 05:49:15 EST 2017
On 24/02/2017 18:47, axwald via use-livecode wrote:
> few days ago I read about PHP incorporating a modern crypto lib now:
>> https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library
>
> Not a specialist regarding this, but wouldn't it be possible to interface
> such?
>> https://github.com/jedisct1/libsodium
>
> @Lagi: The first customer already called to ask if I'd use "this security
> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
> plausibly :)
> Even if I agree with you about the real risk, it would be very bad idea not
> to update any commercial software now. It might even have juristic
> consequences, knowingly using broken crypto?
If you're using SHA-1 to implement an HMAC, you should already be using
the recommended formulation:
hmac := hash(key | hash(key | message))
Or, in LiveCode:
function HmacSha1(pKey, pData)
return sha1digest(pKey & sha1digest(pKey & pData))
end HmacSha1
If you are doing this, then the current attack on SHA-1 does not affect
the security of your system at all [1].
Peter
[1] I am not a cryptographer but this is my understanding of the situation.
--
Dr Peter Brett <peter.brett at livecode.com>
LiveCode Technical Project Manager
lcb-mode for Emacs: https://github.com/peter-b/lcb-mode
More information about the use-livecode
mailing list