subject:"\[Maria\-discuss\] Is it possible to upgrade SHA\-1 and MD5 algorithms in Mariadb\-10.5\?"

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-22 Thread Eliezer Croitoru

Hey Lukas,

For clarity can you post the relevant jira issues that are relevant?

I have these in my watch list:

*   https://jira.mariadb.org/browse/MDEV-12701
*   https://jira.mariadb.org/browse/MDEV-12160
*   https://jira.mariadb.org/browse/MDEV-16503

Thanks,

Eliezer

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

Zoom: Coming soon

From: Maria-discuss 
 On Behalf Of 
Lukas Javorsky
Sent: Monday, March 22, 2021 1:28 PM
To: Sergei Golubchik 
Cc: maria-discuss@lists.launchpad.net
Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms 
in Mariadb-10.5?

Hi Sergei,

I'm going to create the feature requests as you mentioned.

> Neither password hashing nor certificate fingerprinting, as far as I can

> see, use MD5.

Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is used 
though.

However, we don't just have the checkbox for this.

The computing power is really skyrocketing every year, and we should be 
prepared rather than waiting for it.

That's why we are doing extra steps to prevent any security issues that may be 
caused by weak algorithms.

And since MariaDB is pretty big and widely used software we need to protect our 
customers against these types of attacks.

I will try to provide as many information as I can in the following feature 
requests at jira.mariadb.com  

Thank you

Lukas

On Fri, Mar 19, 2021 at 2:11 PM Sergei Golubchik mailto:s...@mariadb.org> > wrote:

Hi, Lukas!

On Mar 19, Lukas Javorsky wrote:
> 
> The main functions that are important for us is the password hashing,
> certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> MD5

Neither password hashing nor certificate fingerprinting, as far as I can
see, use MD5.

Password hashing, indeed, uses SHA-1. It's still secure, as far as I
know, but I understand that you're likely just need a checkbox "no
SHA-1 inside". Please, create a feature request at jira.mariadb.org 
  for
that (use type=task, project=MDEV).

Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
If think it might make sense to allow other digest algorithms too.
Please, create a feature request at jira.mariadb.org   
(project=CONC).

Regards,
Sergei
VP of MariaDB Server Engineering
and secur...@mariadb.org  

-- 

S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases 

  Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

  ljavo...@redhat.com 

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-22 Thread Lukas Javorsky

Hi Sergei,

I'm going to create the feature requests as you mentioned.

> Neither password hashing nor certificate fingerprinting, as far as I can

> see, use MD5.

Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is
used though.

However, we don't just have the checkbox for this.

The computing power is really skyrocketing every year, and we should be
prepared rather than waiting for it.

That's why we are doing extra steps to prevent any security issues that may
be caused by weak algorithms.

And since MariaDB is pretty big and widely used software we need to protect
our customers against these types of attacks.


I will try to provide as many information as I can in the following feature
requests at jira.mariadb.com

Thank you

Lukas


On Fri, Mar 19, 2021 at 2:11 PM Sergei Golubchik  wrote:

> Hi, Lukas!
>
> On Mar 19, Lukas Javorsky wrote:
> >
> > The main functions that are important for us is the password hashing,
> > certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> > MD5
>
> Neither password hashing nor certificate fingerprinting, as far as I can
> see, use MD5.
>
> Password hashing, indeed, uses SHA-1. It's still secure, as far as I
> know, but I understand that you're likely just need a checkbox "no
> SHA-1 inside". Please, create a feature request at jira.mariadb.org for
> that (use type=task, project=MDEV).
>
> Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
> If think it might make sense to allow other digest algorithms too.
> Please, create a feature request at jira.mariadb.org (project=CONC).
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and secur...@mariadb.org
>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-19 Thread Sergei Golubchik

Hi, Lukas!

On Mar 19, Lukas Javorsky wrote:
> 
> The main functions that are important for us is the password hashing,
> certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> MD5

Neither password hashing nor certificate fingerprinting, as far as I can
see, use MD5.

Password hashing, indeed, uses SHA-1. It's still secure, as far as I
know, but I understand that you're likely just need a checkbox "no
SHA-1 inside". Please, create a feature request at jira.mariadb.org for
that (use type=task, project=MDEV).

Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
If think it might make sense to allow other digest algorithms too.
Please, create a feature request at jira.mariadb.org (project=CONC).

Regards,
Sergei
VP of MariaDB Server Engineering
and secur...@mariadb.org

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-19 Thread Lukas Javorsky

> What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?

Sorry for misleading terminology Sergei.
What I meant was to change this algorithm to something newer, and most
importantly more secure.

There is an article  about breaking the
SHA-1 which is dated to 2020 and it explains the vulnerability of this
algorithm.

RHEL also adheres to Government standards like FIPS 140-2, which permits
the use of SHA-1 for verification of legacy signatures.
That may not be the case of mariadb, however, our goal is to
eliminate every possible weakness of the algorithms used in packages.

The main functions that are important for us is the password hashing,
certificate fingerprinting in mariadb-connector-c which uses SHA-1 or MD5

Please let me know what you think.
Lukas

On Fri, Mar 19, 2021 at 1:48 AM Daniel Black  wrote:

> md5:
>
> extra/mariabackup/xbcloud.cc - old bit, however for old reasons used md5
> as a checksum on a storage format. I'm think can be removed before RHEL9
>
> In SQL there is a MD5 function, we can't just replace that as it will
> break user applications.
>
> sha1:
>
> also a SQL function.
>
> plugin/file_key_management/parser.cc is a digest on the keys, however if
> this is a point of attack you've lost already. I suspect this can be fixed.
>
> sha1 forms part of the mysql_native_password implementation, there's no
> known vulnerabilities in this due to its sha1 usage.
>
> https://mariadb.com/kb/en/authentication-plugin-ed25519/ is available,
> however not everything supports in on the client side.
> A mistake was also made (ref MDEV-19217), so a v2 might be needed.
>
> As things like php have mysqlnd and are more strictly tied to MySQL rather
> than MariaDB compatibility so adding MariaDB authentication
> plugins hasn't been accepted yet.
>
> On SQL functions, is this going to be a problem? or would a compile option
> that issues a user SQL warning if they are used be useful?
>
>
>
>
> On Thu, Mar 18, 2021 at 2:29 PM Eliezer Croitoru 
> wrote:
>
>> Hey Sergei,
>>
>> I cannot speak in the name of Lukas but I assume that he is talking about
>> the payload signature of RPM files.
>> Technically speaking SHA1 and MD5 can collide but only to specific file
>> sizes.
>> It's not that simple to create an RPM in a size of 10+ MB which will
>> provide the exact same
>> functionality ie DB which will include errors and/or other things.
>>
>> I know it's pretty simple to upgrade the signature so I do not find any
>> reason to not add a SHA256 sig.
>>
>> All The Bests,
>> Eliezer
>>
>> 
>> Eliezer Croitoru
>> Tech Support
>> Mobile: +972-5-28704261
>> Email: ngtech1...@gmail.com
>> Zoom: Coming soon
>>
>>
>> -Original Message-
>> From: Maria-discuss > gmail@lists.launchpad.net> On Behalf Of Sergei Golubchik
>> Sent: Wednesday, March 17, 2021 5:24 PM
>> To: Lukas Javorsky 
>> Cc: maria-discuss@lists.launchpad.net
>> Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5
>> algorithms in Mariadb-10.5?
>>
>> Hi, Lukas!
>>
>> What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?
>>
>> Regards,
>> Sergei
>> VP of MariaDB Server Engineering
>> and secur...@mariadb.org
>>
>> On Mar 17, Lukas Javorsky wrote:
>> > Hi,
>> >
>> > In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
>> > ask you if there is any chance that upstream is going to change it, or
>> we
>> > should do it downstream.
>> >
>> > These algorithms are no longer considered as safe, so it may be a good
>> > thing to upgrade them.
>> >
>> > AFAIK mariadb uses these algorithms in *mariadb* and
>> *mariadb-connector-c.*
>> >
>> > Also if you have no intention to change it, is there any chance you
>> could
>> > help us somehow. Maybe point out what we should be aware of.
>> >
>> > Please let me know what you think
>> >
>> > Lukas
>> >
>> > --
>> > S pozdravom/ Best regards
>> >
>> > Lukáš Javorský
>> >
>> > Associate Software Engineer, Core service - Databases
>> >
>> > Red Hat 
>> >
>> > Purkyňova 115 (TPB-C)
>> >
>> > 612 00 Brno - Královo Pole
>> >
>> > ljavo...@redhat.com
>> > 
>>
>> ___
>> Mailing list: https://launchpad.net/~maria-discuss
>> Post to : maria-discuss@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~maria-discuss
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>> ___
>> Mailing list: https://launchpad.net/~maria-discuss
>> Post to : maria-discuss@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~maria-discuss
>> More help   : https://help.launchpad.net/ListHelp
>>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-19 Thread Reindl Harald





Am 19.03.21 um 01:47 schrieb Daniel Black:

md5:

extra/mariabackup/xbcloud.cc - old bit, however for old reasons used md5 
as a checksum on a storage format. I'm think can be removed before RHEL9


In SQL there is a MD5 function, we can't just replace that as it will 
break user applications.


sha1:

also a SQL function.

plugin/file_key_management/parser.cc is a digest on the keys, however if 
this is a point of attack you've lost already. I suspect this can be fixed.


sha1 forms part of the mysql_native_password implementation, there's no 
known vulnerabilities in this due to its sha1 usage.


https://mariadb.com/kb/en/authentication-plugin-ed25519/ 
 is available, 
however not everything supports in on the client side.

A mistake was also made (ref MDEV-19217), so a v2 might be needed.

As things like php have mysqlnd and are more strictly tied to MySQL 
rather than MariaDB compatibility so adding MariaDB authentication

plugins hasn't been accepted yet.

On SQL functions, is this going to be a problem? or would a compile 
option that issues a user SQL warning if they are used be useful?


sql functions for sure not matter in that context

besides it would break existing usecases it also would require to change 
applications workign with that data *and* replace the hases with some 
others in *existing* data which is a no-go


--

md5/sha1 are not evil on it's own - it's a matter of what they are used 
for, i have usecases where even MD4 is enough and i use it because it's 
simply faster


it's unlikely in my md4 usecase making sure in autotests that html 
output out of frameworks didn't change to hit a hash-collision at the 
same time a single html attribute in a source code changed


___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-18 Thread Daniel Black

md5:

extra/mariabackup/xbcloud.cc - old bit, however for old reasons used md5 as
a checksum on a storage format. I'm think can be removed before RHEL9

In SQL there is a MD5 function, we can't just replace that as it will break
user applications.

sha1:

also a SQL function.

plugin/file_key_management/parser.cc is a digest on the keys, however if
this is a point of attack you've lost already. I suspect this can be fixed.

sha1 forms part of the mysql_native_password implementation, there's no
known vulnerabilities in this due to its sha1 usage.

https://mariadb.com/kb/en/authentication-plugin-ed25519/ is available,
however not everything supports in on the client side.
A mistake was also made (ref MDEV-19217), so a v2 might be needed.

As things like php have mysqlnd and are more strictly tied to MySQL rather
than MariaDB compatibility so adding MariaDB authentication
plugins hasn't been accepted yet.

On SQL functions, is this going to be a problem? or would a compile option
that issues a user SQL warning if they are used be useful?




On Thu, Mar 18, 2021 at 2:29 PM Eliezer Croitoru 
wrote:

> Hey Sergei,
>
> I cannot speak in the name of Lukas but I assume that he is talking about
> the payload signature of RPM files.
> Technically speaking SHA1 and MD5 can collide but only to specific file
> sizes.
> It's not that simple to create an RPM in a size of 10+ MB which will
> provide the exact same
> functionality ie DB which will include errors and/or other things.
>
> I know it's pretty simple to upgrade the signature so I do not find any
> reason to not add a SHA256 sig.
>
> All The Bests,
> Eliezer
>
> 
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com
> Zoom: Coming soon
>
>
> -Original Message-
> From: Maria-discuss  gmail@lists.launchpad.net> On Behalf Of Sergei Golubchik
> Sent: Wednesday, March 17, 2021 5:24 PM
> To: Lukas Javorsky 
> Cc: maria-discuss@lists.launchpad.net
> Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5
> algorithms in Mariadb-10.5?
>
> Hi, Lukas!
>
> What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and secur...@mariadb.org
>
> On Mar 17, Lukas Javorsky wrote:
> > Hi,
> >
> > In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
> > ask you if there is any chance that upstream is going to change it, or we
> > should do it downstream.
> >
> > These algorithms are no longer considered as safe, so it may be a good
> > thing to upgrade them.
> >
> > AFAIK mariadb uses these algorithms in *mariadb* and
> *mariadb-connector-c.*
> >
> > Also if you have no intention to change it, is there any chance you could
> > help us somehow. Maybe point out what we should be aware of.
> >
> > Please let me know what you think
> >
> > Lukas
> >
> > --
> > S pozdravom/ Best regards
> >
> > Lukáš Javorský
> >
> > Associate Software Engineer, Core service - Databases
> >
> > Red Hat 
> >
> > Purkyňova 115 (TPB-C)
> >
> > 612 00 Brno - Královo Pole
> >
> > ljavo...@redhat.com
> > 
>
> ___
> Mailing list: https://launchpad.net/~maria-discuss
> Post to : maria-discuss@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>
> ___
> Mailing list: https://launchpad.net/~maria-discuss
> Post to : maria-discuss@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-17 Thread Eliezer Croitoru

Hey Sergei,

I cannot speak in the name of Lukas but I assume that he is talking about the 
payload signature of RPM files.
Technically speaking SHA1 and MD5 can collide but only to specific file sizes.
It's not that simple to create an RPM in a size of 10+ MB which will provide 
the exact same
functionality ie DB which will include errors and/or other things.

I know it's pretty simple to upgrade the signature so I do not find any reason 
to not add a SHA256 sig.

All The Bests,
Eliezer


Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com
Zoom: Coming soon


-Original Message-
From: Maria-discuss 
 On Behalf Of 
Sergei Golubchik
Sent: Wednesday, March 17, 2021 5:24 PM
To: Lukas Javorsky 
Cc: maria-discuss@lists.launchpad.net
Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms 
in Mariadb-10.5?

Hi, Lukas!

What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?

Regards,
Sergei
VP of MariaDB Server Engineering
and secur...@mariadb.org

On Mar 17, Lukas Javorsky wrote:
> Hi,
> 
> In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
> ask you if there is any chance that upstream is going to change it, or we
> should do it downstream.
> 
> These algorithms are no longer considered as safe, so it may be a good
> thing to upgrade them.
> 
> AFAIK mariadb uses these algorithms in *mariadb* and *mariadb-connector-c.*
> 
> Also if you have no intention to change it, is there any chance you could
> help us somehow. Maybe point out what we should be aware of.
> 
> Please let me know what you think
> 
> Lukas
> 
> -- 
> S pozdravom/ Best regards
> 
> Lukáš Javorský
> 
> Associate Software Engineer, Core service - Databases
> 
> Red Hat 
> 
> Purkyňova 115 (TPB-C)
> 
> 612 00 Brno - Královo Pole
> 
> ljavo...@redhat.com
> 

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-17 Thread Sergei Golubchik

Hi, Lukas!

What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?

Regards,
Sergei
VP of MariaDB Server Engineering
and secur...@mariadb.org

On Mar 17, Lukas Javorsky wrote:
> Hi,
> 
> In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
> ask you if there is any chance that upstream is going to change it, or we
> should do it downstream.
> 
> These algorithms are no longer considered as safe, so it may be a good
> thing to upgrade them.
> 
> AFAIK mariadb uses these algorithms in *mariadb* and *mariadb-connector-c.*
> 
> Also if you have no intention to change it, is there any chance you could
> help us somehow. Maybe point out what we should be aware of.
> 
> Please let me know what you think
> 
> Lukas
> 
> -- 
> S pozdravom/ Best regards
> 
> Lukáš Javorský
> 
> Associate Software Engineer, Core service - Databases
> 
> Red Hat 
> 
> Purkyňova 115 (TPB-C)
> 
> 612 00 Brno - Královo Pole
> 
> ljavo...@redhat.com
> 

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

[Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-17 Thread Lukas Javorsky

Hi,

In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
ask you if there is any chance that upstream is going to change it, or we
should do it downstream.

These algorithms are no longer considered as safe, so it may be a good
thing to upgrade them.

AFAIK mariadb uses these algorithms in *mariadb* and *mariadb-connector-c.*

Also if you have no intention to change it, is there any chance you could
help us somehow. Maybe point out what we should be aware of.

Please let me know what you think

Lukas

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

[Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

9 matches

Site Navigation

Mail list logo

Footer information