With that said, if performance is an issue, you might want to look into using SHA512 instead due to optimizations on 64bit platforms.
On Mar 15, 2017 15:16, "Alex Gaynor" <alex.gay...@gmail.com> wrote: > It's also worth noting that the correct time to switch is not when > something is broken, it's well before then. > > Alex > > On Wed, Mar 15, 2017 at 5:14 PM, Paul Kehrer <paul.l.keh...@gmail.com> > wrote: > >> Echoing Alex's comments, SHA1's problems do not affect HMAC constructions >> so there's no current security issue. That said, optics in cryptography can >> be important (as you're seeing with your user requests now). You will save >> yourself a great deal of low grade noise in the future by simply switching >> now. >> >> On March 15, 2017 at 1:53:24 PM, Alex Gaynor (alex.gay...@gmail.com) >> wrote: >> >> Hi David, >> >> You're correct that HMAC's security is still fine when used with SHA-1, >> HMAC-MD5 is even secure believe it or not. >> >> That said, I'd generally recommend people migrate to HMAC-SHA-256 >> anyways, to make analyzing their software easier. >> >> Alex >> >> On Wed, Mar 15, 2017 at 1:48 PM, David Lord <david...@gmail.com> wrote: >> >>> Hello cryptography, >>> >>> Over at the Flask repos, we've had a number of requests to use SHA-256 >>> instead of SHA-1 in a couple places. >>> Werkzeug defaults to SHA-1 as part of PBKDF2 to generate password hashes. >>> ItsDangerous defaults to SHA-1 as part of HMAC signatures. >>> >>> After some discussion I concluded that as used in those two methods, >>> SHA-1's collision issues were not relevant. >>> However, I'd like to get a second opinion from the cryptography experts. >>> >>> I can change the default to SHA-256, but if it's not actually making >>> things more secure then that's just increasing time and space for no reason. >>> >>> Thanks, >>> David >>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >>> >> >> >> -- >> "I disapprove of what you say, but I will defend to the death your right >> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
