NIST seems to agree that SHA-1 is ok for HMAC as well: http://csrc.nist.gov/groups/ST/hash/statement.html
"There are many applications of hash functions, and many do not require strong collision resistance; for example, keyed hash applications, such as the Hash-based Message Authentication Code (HMAC) or key derivation applications of hash functions do not seem to be affected." Their plan in the same article doesn't mention transitioning off of SHA-1 for HMAC related applications. They also mention that SHA-1 is allowable for HMAC related use after the 2010 switch over: http://csrc.nist.gov/groups/ST/hash/policy.html "After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs)." However it does say: "Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols." Is there a good way to make it forward upgradeable? Allow the developer to decide on the shorter SHA-1 hash or the (theoretically) more secure SHA-256? Jordan On Jan 4, 8:49 am, Simon Willison <si...@simonwillison.net> wrote: > From Jordan Christensen on > Twitter:http://twitter.com/thebigjc/status/7366243197 > > "@simonw why sha-1 instead of sha-256? NIST has recommended not using > SHA-1 in new systems:http://bit.ly/6bIf5h"; > > I chose sha-1 over sha-256 for reasons of signature length. A base64 > encoded signature generated with hmac/sha1 is 27 characters long. The > same thing using hmac/sha256 is 43 characters long. If you're planning > on using signatures in cookies and URLs that's quite a big difference > (43 characters is more than half of the maximum 80 characters needed > to safely transmit URLs in plain text e-mails, e.g. for account > recovery links). > > My understanding is that the collision weaknesses discovered in SHA-1 > are countered by the use of HMAC. Here's Bruce Schneier on the matter: > > http://www.schneier.com/blog/archives/2005/02/sha1_broken.html > > "It pretty much puts a bullet into SHA-1 as a hash function for > digital signatures (although it doesn't affect applications such as > HMAC where collisions aren't important)." > > Despite the confusing API name, we're doing HMAC here, not digital > signatures - so I think we're OK. If I'm wrong I'm sure a crypto geek > will set me straight pretty quickly. > > Cheers, > > Simon -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
