Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cryptographic hash function security #68

Open
LiberalArtist opened this issue Aug 17, 2019 · 1 comment
Open

Cryptographic hash function security #68

LiberalArtist opened this issue Aug 17, 2019 · 1 comment

Comments

@LiberalArtist
Copy link
Contributor

A few places in the web server use cryptographic hash functions, specifically MD5 and SHA1:

Neither MD5 nor SHA1 are recommended anymore for general use as cryptographic hash functions. IIUC, the vulnerabilities in both cases are (so far) only with collisions, not preimages, which I think means some or all of these uses are still ok—but "I think" is not something I like to rely on when it comes to crypto.

I propose that:

  1. We should document the security considerations applicable to each use of cryptographic hash functions.
  2. If MD5 or SHA1 are insecure in any of these applications, we should replace them with better hash functions. Conveniently, racket/base now provides sha256-bytes and sha254-bytes.
@jeapostrophe
Copy link
Contributor

Good idea

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeapostrophe @LiberalArtist