On 11-08-2020 17:50, Alex Peshkoff via Firebird-devel wrote:
On 2020-08-10 21:43, Leyne, Sean wrote:
I believe that many of you are all too narrowly linking HASH and
whether it is appropriate for cryptography.
What about particular CRC32 - it produces output value with length just
4 bytes, even using SHA1 with 20 bytes returned was accepted as security
risk in some places (like SRP), making us move to hashes with longer
output. Sean, I do not know under what condition can it be used as
cryptographic hash. In our favorite tomcrypt hashes usable for crypto
purporses are collected together and may be interchangeably used in
other (higher level) crypto functions like RSA signing messages. But
CRC32 is standalone, it can not be used for something like signing
messages.
A hash function does not necessarily mean cryptographic hash. We are
talking about producing a consistent API, while you seem to only want a
specific class of hash functions in HASH (ignoring the fact that
HASH(<expression>) itself is also a non-cryptographic hash function).
[..]
The fact that the usage is appropriate for cryptography is something
the developer/user needs to worry about.
Ohh - I do not want to get CVE 'Firebird suggests unreliable hashes for
crypto purposes'.
That is a strawman, and not a very good one.
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
