[issue17258] multiprocessing.connection challenge implicitly uses MD5

miss-islington added the comment: New changeset 196810a98ab07714df3d329c325575ac36e61318 by Miss Islington (bot) in branch '3.9': bpo-17258: Add requires_hashdigest to multiprocessing tests (GH-20412) https://github.com/python/cpython/commit/196810a98ab07714df3d329c325575ac36e61318

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Change by miss-islington : -- pull_requests: +19851 pull_request: https://github.com/python/cpython/pull/20626 ___ Python tracker ___ __

[issue17258] multiprocessing.connection challenge implicitly uses MD5

miss-islington added the comment: New changeset b022e5cffbd3ff51ae361cf80f2a3b660be8b1ee by Christian Heimes in branch 'master': bpo-17258: Add requires_hashdigest to multiprocessing tests (GH-20412) https://github.com/python/cpython/commit/b022e5cffbd3ff51ae361cf80f2a3b660be8b1ee -

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Change by Christian Heimes : -- pull_requests: +19672 pull_request: https://github.com/python/cpython/pull/20412 ___ Python tracker ___

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Change by Christian Heimes : -- pull_requests: +19644 pull_request: https://github.com/python/cpython/pull/20380 ___ Python tracker ___

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Change by Charalampos Stratakis : -- pull_requests: +15857 pull_request: https://github.com/python/cpython/pull/16264 ___ Python tracker ___ ___

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Antoine Pitrou added the comment: Indeed, we probably want a flexible handshake mechanism. This needn't be very optimized: probably a magic number followed by a JSON-encoded dict is sufficient. (of course, several years down the road, someone will engineer a downgrade attack) -- no

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Christian Heimes added the comment: Dave, are you still interested to address the issue? I think it's a good idea to replace HMAC-MD5 in the long run. But instead of hard-coding another hash algorithm, I would like to see an improved handshake protocol that supports flexible authentication al

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Changes by Antoine Pitrou : -- versions: -Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.5 ___ Python tracker ___

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Changes by Barry A. Warsaw : -- nosy: +barry ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Changes by Barry A. Warsaw : -- nosy: +doko ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Richard Oudkerk added the comment: Banning md5 as a matter of policy may be perfectly sensible. However, I think the way multiprocessing uses hmac authentication is *not* affected by the collision attacks the advisory talks about. These depend on the attacker being able to determine for himse

[issue17258] multiprocessing.connection challenge implicitly uses MD5

Christian Heimes added the comment: The statement "MD5 should no longer be used for security purposes" is not entirely correct. MD5 should no longer be used as cryptographic hash function for signatures. However HMAC-MD5 is a different story. >From https://tools.ietf.org/html/rfc6151 The a

[issue17258] multiprocessing.connection challenge implicitly uses MD5

New submission from Dave Malcolm: Within multiprocessing.connection, deliver_challenge() and answer_challenge() use hmac for a challenge/response. hmac implicitly defaults to using MD5. MD5 should no longer be used for security purposes. See e.g. http://www.kb.cert.org/vuls/id/836068 This fa