On 24/02/2017 18:47, axwald via use-livecode wrote:
few days ago I read about PHP incorporating a modern crypto lib now:
https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library
Not a specialist regarding this, but wouldn't it be possible to interface
such?
https://github.com/jedisct1/libsodium
@Lagi: The first customer already called to ask if I'd use "this security
risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
plausibly :)
Even if I agree with you about the real risk, it would be very bad idea not
to update any commercial software now. It might even have juristic
consequences, knowingly using broken crypto?
If you're using SHA-1 to implement an HMAC, you should already be using
the recommended formulation:
hmac := hash(key | hash(key | message))
Or, in LiveCode:
function HmacSha1(pKey, pData)
return sha1digest(pKey & sha1digest(pKey & pData))
end HmacSha1
If you are doing this, then the current attack on SHA-1 does not affect
the security of your system at all [1].
Peter
[1] I am not a cryptographer but this is my understanding of the situation.
--
Dr Peter Brett <peter.br...@livecode.com>
LiveCode Technical Project Manager
lcb-mode for Emacs: https://github.com/peter-b/lcb-mode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
