Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

Thanks Peter. I see some things in there that help me understand better what 
the salting does. I will probably incorporate this in my app fairly soon. I 
store passwords for various things, and want to make sure they are as secure as 
possible. 

Once I get it working I think I will put up a sample stack using these algo's. 

Bob S


> On Mar 7, 2017, at 08:04 , Peter TB Brett via use-livecode 
>  wrote:
> 
> On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote:
>> Thanks Peter. But then how will I know programmatically if the password is 
>> correct or not?
> 
> Hi Bob,
> 
> Here's a worked example of what I'm talking about.
> 
>  Peter


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote:

Thanks Peter. But then how will I know programmatically if the password is 
correct or not?


Hi Bob,

Here's a worked example of what I'm talking about.

  Peter

-

/* Compute a hash-based message authentication code
using the SHA-1 hash.  This is broken; it should correctly
follow RFC 2104. */
private function hmacSha1 pKey, pMessage
   return sha1digest(pKey & sha1digest(pKey & pMessage))
end hmacSha1

/* Generate a 160-bit salt value suitable for use when
storing a password */
private function generateSalt
   return randomBytes(20)
end generateSalt

/* Convert the specified cleartext password string to an
secure string suitable for storage using the specified
salt, which should be a base 64-encoded string. */
private function securePassword pPasswordString, pSaltData
   local tPasswordData
   put textEncode(pPasswordString, "UTF-8") into tPasswordData
   return base64Encode(pSaltData) & comma & \
 base64Encode(hmacSha1(pSaltData, tPasswordData))
end securePassword

/* Get the salt part of a secured password string */
private function getSecurePasswordSalt pSecurePassword
   return base64Decode(item 1 of pSecurePassword)
end getSecurePasswordSalt

/* Store a new password.  Use this when a user creates
a new account or changes their password for any reason */
function storePassword pPasswordString
   return securePassword(pPasswordString, generateSalt())
end storePassword

/* Verify a password.  Use this when a user tries to log
in.  Returns true if the password is correct and false
otherwise. */
function verifyPassword pPasswordString, pSecurePassword
   local tSaltData, tTrialString
   put getSecurePasswordSalt(pSecurePassword) into tSaltData
   put securePassword(pPasswordString, tSaltData) into tTrialString
   return tTrialString is pSecurePassword
end verifyPassword

-

private command _testAssert pDesc, pCondition
   if pCondition then
  put "ok -" && pDesc & return after msg
   else
  put "not ok -" && pDesc & return after msg
   end if
end _testAssert

command _testPasswordDemo
   local tSecured
   put storePassword("correct horse battery staple") into tSecured
   put "# Stored:" && tSecured & return into msg
   _testAssert "bad password", \
 not verifyPassword("hunter2", tSecured)
   _testAssert "good password", \
 verifyPassword("correct horse battery staple", tSecured)
end _testPasswordDemo

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

NVM I think I see. I hash the user's password entry and compare the value to 
what is stored. But if the stored hash is an asymmetric one and cannot be 
decrypted, what is all the fuss about? Rainbow tables are all that is left, and 
you cannot create rainbow tables for every possible methodology. 

I'm wondering if this is much ado about nothing? No matter how a password is 
stored, it can always theoretically be compromised once someone gains access to 
the storage system. I get that having a different seed for each password makes 
it more difficult to be able to decrypt a captured hash in transit, but 
passwords MUST be stored somewhere, and if so, then encrypted, and if so, then 
never completely safely. 

Bob S


> On Mar 7, 2017, at 07:28 , Bob Sneidar via use-livecode 
>  wrote:
> 
>> Hi Bob,
>> 
>> The "encrypt" command provides symmetric cryptographic functions, i.e.
>> you can decrypt the result again to get the cleartext back.  This is _not_ a 
>> desirable property for a password storage system; you should always use 
>> one-way (asymmetric) functions, such as a cryptographic hash.
>> 
>> Peter
>> 
>> -- 
>> Dr Peter Brett 


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[prothero--- via use-livecode]

You encrypt the trial password and compare the encrypted values. 
Bill

William Prothero
http://ed.earthednet.org

> On Mar 7, 2017, at 3:28 PM, Bob Sneidar via use-livecode 
>  wrote:
> 
> Thanks Peter. But then how will I know programmatically if the password is 
> correct or not? 
> 
> Bob S
> 
> 
>> On Mar 6, 2017, at 02:53 , Peter TB Brett via use-livecode 
>>  wrote:
>> 
>> 
>> 
>>> On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote:
>>> It looks like the encrypt command is already using this method if
>>> the "with salt" arguement is provided? At least the encrypted result
>>> starts with "salted" and at least part of the salt value.
>>> 
>> 
>> Hi Bob,
>> 
>> The "encrypt" command provides symmetric cryptographic functions, i.e.
>> you can decrypt the result again to get the cleartext back.  This is _not_ a 
>> desirable property for a password storage system; you should always use 
>> one-way (asymmetric) functions, such as a cryptographic hash.
>> 
>> Peter
>> 
>> -- 
>> Dr Peter Brett 
> 
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

Thanks Peter. But then how will I know programmatically if the password is 
correct or not? 

Bob S


> On Mar 6, 2017, at 02:53 , Peter TB Brett via use-livecode 
>  wrote:
> 
> 
> 
> On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote:
>> It looks like the encrypt command is already using this method if
>> the "with salt" arguement is provided? At least the encrypted result
>> starts with "salted" and at least part of the salt value.
>> 
> 
> Hi Bob,
> 
> The "encrypt" command provides symmetric cryptographic functions, i.e.
> you can decrypt the result again to get the cleartext back.  This is _not_ a 
> desirable property for a password storage system; you should always use 
> one-way (asymmetric) functions, such as a cryptographic hash.
> 
>  Peter
> 
> -- 
> Dr Peter Brett 


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote:

It looks like the encrypt command is already using this method if
the "with salt" arguement is provided? At least the encrypted result
starts with "salted" and at least part of the salt value.



Hi Bob,

The "encrypt" command provides symmetric cryptographic functions, i.e.
you can decrypt the result again to get the cleartext back.  This is 
_not_ a desirable property for a password storage system; you should 
always use one-way (asymmetric) functions, such as a cryptographic hash.


  Peter

--
Dr Peter Brett 

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Tom Glod via use-livecode]

this discussion has been very useful on many fronts.  I'm going to have
fewer nightmares about security.

On Fri, Mar 3, 2017 at 1:00 PM, Bob Sneidar via use-livecode <
use-livecode@lists.runrev.com> wrote:

> It looks like the encrypt command is already using this method if the
> "with salt" arguement is provided? At least the encrypted result starts
> with "salted" and at least part of the salt value.
>
> Bob S
>
>
> > On Mar 1, 2017, at 07:37 , Bob Sneidar via use-livecode <
> use-livecode@lists.runrev.com> wrote:
> >
> > Hi Peter. Very informative thank you. In the example,
> >
> > [protected form] = [salt] + protect([protection func], [salt] +
> [credential]);
>
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
*Tom Glod*

CEO @ *MakeShyft R.D.A* - www.makeshyft.com



Developer of *U.M.P* - www.IamUMP.com
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

It looks like the encrypt command is already using this method if the "with 
salt" arguement is provided? At least the encrypted result starts with "salted" 
and at least part of the salt value. 

Bob S


> On Mar 1, 2017, at 07:37 , Bob Sneidar via use-livecode 
>  wrote:
> 
> Hi Peter. Very informative thank you. In the example, 
> 
> [protected form] = [salt] + protect([protection func], [salt] + [credential]);


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 02/03/2017 19:28, Alejandro Tejada via use-livecode wrote:

How difficult would be to guess a sha1 digest, if we repeat it many,
many times? Just as Peter Brett wrote in a previous message:

put sha1Digest(sha1Digest(sha1Digest(tData))) -- 3 times!


Don't do this.  It will make it _easier_ to generate collisions, because 
each successive iteration loses some information from the input -- i.e. 
the scheme you suggest _reduces_ security.


When performing repeated hashing, you need to feed the original data in 
again at each stage.  See this Stack Overflow answer for a very detailed 
explanation:  https://stackoverflow.com/a/17396367/266449


The summary is that you need the following formulation to ensure 
security for repeated hashing:


put sha1Digest(tData & sha1Digest(tData & sha1Digest(tData)))
-- etcetera.

 Peter

--
Dr Peter Brett 
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Lagi Pittas via use-livecode]

Excellent points  Axwald especially the last paragraph.

Happy Happy Happy  Fun Fun Fun!! ;-)

On 2 March 2017 at 10:20, axwald via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Hi,
>
>
> Dr Peter Brett wrote
> > On 24/02/2017 18:47, axwald via use-livecode wrote:
> > [...]
> >> Not a specialist regarding this, but wouldn't it be possible to
> interface
> >> such?
> >>> https://github.com/jedisct1/libsodium
> >>
> >> @Lagi: The first customer already called to ask if I'd use "this
> security
> >> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
> >> [...]
> >
> > If you're using SHA-1 to implement an HMAC, you should already be using
> > the recommended formulation:
> >
> >  hmac := hash(key | hash(key | message)) [...]
>
> What I meant mentioning the "LibHash-Hmac" lib is that it contains a
> "sha256digest" function already that is, to my understanding at least, a
> SHA2 implementation. And that it's not only about the real danger of having
> one's hash cracked, it's more about the publicity this crack received, and
> the nosy questions that are coming in now from customers that read about it
> in the news. And, for sure, will never understand any detailed explanation.
>
> The other thing, about libsodium, was the idea not to roll our own crypto
> code, but instead to interface a commonly used, audited, verified &
> accepted
> open source crypto library. And just provide the wrapper as a plugin.
> No idea if such would be possible - this is beyond my knowledge. But for
> real security sensitive coding there's no way but to use audited code
> anyways. It would be a great benefit to have such available in LiveCode,
> IMHO.
>
> Another benefit would be that such a wrapper plugin could be made available
> not only for the most bleeding edge versions of LC - so that commercial
> coders that are forced to use more settled versions for speed, productivity
> & reliability are not left out in the dark & cold, again.
>
> Have fun!
>
>
>
> -
> • Livecode programming until the cat hits the fan •
> --
> View this message in context: http://runtime-revolution.
> 278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-
> this-will-be-addressed-in-LC-tp4712554p4712777.html
> Sent from the Revolution - User mailing list archive at Nabble.com.
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[axwald via use-livecode]

Hi,


Dr Peter Brett wrote
> On 24/02/2017 18:47, axwald via use-livecode wrote:
> [...]
>> Not a specialist regarding this, but wouldn't it be possible to interface
>> such?
>>> https://github.com/jedisct1/libsodium
>>
>> @Lagi: The first customer already called to ask if I'd use "this security
>> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
>> [...]
> 
> If you're using SHA-1 to implement an HMAC, you should already be using 
> the recommended formulation:
> 
>  hmac := hash(key | hash(key | message)) [...]

What I meant mentioning the "LibHash-Hmac" lib is that it contains a
"sha256digest" function already that is, to my understanding at least, a
SHA2 implementation. And that it's not only about the real danger of having
one's hash cracked, it's more about the publicity this crack received, and
the nosy questions that are coming in now from customers that read about it
in the news. And, for sure, will never understand any detailed explanation.

The other thing, about libsodium, was the idea not to roll our own crypto
code, but instead to interface a commonly used, audited, verified & accepted
open source crypto library. And just provide the wrapper as a plugin.
No idea if such would be possible - this is beyond my knowledge. But for
real security sensitive coding there's no way but to use audited code
anyways. It would be a great benefit to have such available in LiveCode,
IMHO.

Another benefit would be that such a wrapper plugin could be made available
not only for the most bleeding edge versions of LC - so that commercial
coders that are forced to use more settled versions for speed, productivity
& reliability are not left out in the dark & cold, again.

Have fun!



-
• Livecode programming until the cat hits the fan •
--
View this message in context: 
http://runtime-revolution.278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-this-will-be-addressed-in-LC-tp4712554p4712777.html
Sent from the Revolution - User mailing list archive at Nabble.com.

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 01/03/2017 18:22, Richard Gaskin via use-livecode wrote:

The answer turns out to be: "Quite good - pull request submitted, status
changed to 'Awaiting Build'" - i.e. "done!"

http://quality.livecode.com/show_bug.cgi?id=14223

Many thanks to Peter Brett for addressing this, and implementing it in
such a nice way.


Hold your horses, Richard, I'm still waiting for the official Mark 
Waddingham stamp of approval for making changes to the LiveCode language!


There's a still a chance that it'll change a bit before it actually 
makes its way into a release.


   Peter ;-)

--
Dr Peter Brett 
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Richard Gaskin via use-livecode]

This thread title asks: "What are the chances this will be addressed in LC?"

The answer turns out to be: "Quite good - pull request submitted, status 
changed to 'Awaiting Build'" - i.e. "done!"


http://quality.livecode.com/show_bug.cgi?id=14223

Many thanks to Peter Brett for addressing this, and implementing it in 
such a nice way.


From the pull request linked to in the bug report it seems we now have 
a new messageDigest function:


get messageDigest( ,  )

(Note: there's discussion in the pull request about the param order, and 
I'm inferring here; the actual implementation may be the other way 
around, with type first and then message - Peter, Monte, where did that 
land?)


...where (if I read the notes correctly; Peter please correct me if I'm 
wrong)  can be any of the following:


  md5
  sha1
  sha2
  sha3

Awesome!

With those we should be set for several years.

This will mean that from v9.0 dp6 forward you'll probably want to avoid 
using the older md5Digest and sha1Digest functions in favor of this new 
syntax.


If you need the older hash algos the new function apparently supports 
them, but of course if you need a cryptographic-quality hash use sha2 or 
sha3.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 01/03/2017 15:37, Bob Sneidar via use-livecode wrote:

Hi Peter. Very informative thank you. In the example,

[protected form] = [salt] + protect([protection func], [salt] +
[credential]);

It looks like they are saying to prepent the salt prior to the
protect function (in the case of LC that would be encrypt) but if
someone got access to the SQL database, wouldn't that give part of
the secret away? Isn't the salt value a way to further obscure the
credential, making something like a hash table more difficult?

I use a salt value that only I know, and I password protect the stack
that uses it. Seems to me that prepending the salt to the protected
form is like giving someone my user name but not my password. The
other team is starting on the 50 yard line (in American sports
vernacular).


The idea of a password storage scheme is to make it extremely costly for
an attacker to recover the original passwords, even given _total_ 
information about the scheme.  When evaluating a scheme, you should 
always assume that if someone has got access to your password database, 
they have also got access to anything else on that server or any server 
connected to it -- potentially including your secret salt.


By appending the salt to the front of the protected form, you can use a
different salt for every single password in your database.  Even if 
someone knows a password already (e.g. because they have an account on 
your server), they gain no information about any of the other passwords 
in the database.


Password storage schemes like Argon2 go one step further and put all of 
the parameters for the protected form into the protected string.  This 
allows the parameters to be modified for newly-stored passwords while 
still being able to verify old passwords.  They are also tuned to ensure 
that it takes a long time to compute the protected form (usually around 
0.1 to 0.5 ms).  That's long enough that knowing _all_ the parameters 
still makes it infeasible to figure out what the original password was.


In summary: salt values shouldn't need to be secret.

   Peter

--
Dr Peter Brett 
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

Hi Peter. Very informative thank you. In the example, 

[protected form] = [salt] + protect([protection func], [salt] + [credential]);

It looks like they are saying to prepent the salt prior to the protect function 
(in the case of LC that would be encrypt) but if someone got access to the SQL 
database, wouldn't that give part of the secret away? Isn't the salt value a 
way to further obscure the credential, making something like a hash table more 
difficult? 

I use a salt value that only I know, and I password protect the stack that uses 
it. Seems to me that prepending the salt to the protected form is like giving 
someone my user name but not my password. The other team is starting on the 50 
yard line (in American sports vernacular). 

Bob S


> On Mar 1, 2017, at 02:31 , Peter TB Brett via use-livecode 
>  wrote:
> 
> If you are handling passwords, then this is a pretty decent page with good 
> guidelines on how to do it safely and securely:
> 
> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 28/02/2017 15:46, Bob Sneidar via use-livecode wrote:

Thanks for that Peter! I've been thinking about a way to encrypt data
for storage in database systems for things like passwords and server
credentials. Now to figure out how to decrypt it...


Hi Bob,

Never store user passwords in clear text, or in any encoding that can be 
reversed.  Both message digest algorithms and HMACs are intended to be 
*one-way* functions -- this is one of their important properties.


If you are handling passwords, then this is a pretty decent page with 
good guidelines on how to do it safely and securely:


https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Note that the HMAC definition I posted earlier is a simplified version; 
it would probably be a good idea to have a library that provides the 
full spec described in https://tools.ietf.org/html/rfc2104


Also, I'm wondering whether to add an Argon2 or PBKDF2 implementation to 
the engine to help with this.


  Peter

--
Dr Peter Brett 
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

NVM I'm a moron. It's there but I overlooked it. 

Bob S


> On Feb 28, 2017, at 12:27 , Richard Gaskin via use-livecode 
>  wrote:
> 
> I had written "shaONEdigest" only to draw attention to the "1" ("ONE"), just 
> in case you'd tried "l" ("L") instead.
> 
> It's in there.  Has been for years.  Not sure why you're not seeing it.
> 
> -- 
> Richard Gaskin


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Richard Gaskin via use-livecode]

Bob Sneidar wrote:

>> On Feb 28, 2017, at 09:33 , Richard Gaskin wrote:
>> Bob Sneidar wrote:
>>
>> > I cannot find a function called sha1digest in the LC library.
>>
>> It's sha-ONE-digest, and it's been around for a while so it should
>> be there.
>>
>
> I search for SHA in the dictionary, nada. I type sha1digest in to a
> script, right click it, nada. I type shaONEdigest in a script, right
> click it, nada.

I had written "shaONEdigest" only to draw attention to the "1" ("ONE"), 
just in case you'd tried "l" ("L") instead.


It's in there.  Has been for years.  Not sure why you're not seeing it.

--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Phil Davis via use-livecode]

One thing I discovered just now: the items listed in the API tab of the 
Dictionary are not necessarily in alphabetic order by default. I 
discovered it by typing 'sh' into the Filter box and looking at the 
list, top to bottom. Things weren't where I expected them to be! After I 
clicked the 'Name' column header, however, the list was alphabetic by Name.


AND I found sha1Digest in there.

Phil


On 2/28/17 12:00 PM, Mark Wieder via use-livecode wrote:

On 02/28/2017 11:05 AM, Bob Sneidar via use-livecode wrote:

I search for SHA in the dictionary, nada.


It's in the dictionary.
Maybe you have a filter enabled that's masking it?



--
Phil Davis


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Phil Davis via use-livecode]

However, this works:

put sha1Digest("dfgdfgdghgdhfgh")

So we know it's there.

FWIW -
Phil Davis


On 2/28/17 11:05 AM, Bob Sneidar via use-livecode wrote:

I search for SHA in the dictionary, nada. I type sha1digest in to a script, 
right click it, nada. I type shaONEdigest in a script, right click it, nada.

Bob S



On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode 
 wrote:

Bob Sneidar wrote:


I cannot find a function called sha1digest in the LC library.

It's sha-ONE-digest, and it's been around for a while so it should be there.

--
Richard Gaskin


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode



--
Phil Davis


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Mark Wieder via use-livecode]

On 02/28/2017 11:05 AM, Bob Sneidar via use-livecode wrote:

I search for SHA in the dictionary, nada.


It's in the dictionary.
Maybe you have a filter enabled that's masking it?

--
 Mark Wieder
 ahsoftw...@gmail.com



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

I search for SHA in the dictionary, nada. I type sha1digest in to a script, 
right click it, nada. I type shaONEdigest in a script, right click it, nada. 

Bob S


> On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode 
>  wrote:
> 
> Bob Sneidar wrote:
> 
> > I cannot find a function called sha1digest in the LC library.
> 
> It's sha-ONE-digest, and it's been around for a while so it should be there.
> 
> -- 
> Richard Gaskin


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Richard Gaskin via use-livecode]

Bob Sneidar wrote:

> I cannot find a function called sha1digest in the LC library.

It's sha-ONE-digest, and it's been around for a while so it should be there.

--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

err... This does not work. I cannot find a function called sha1digest in the LC 
library. 

Bob S


> On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode 
>  wrote:
> 
> Or, in LiveCode:
> 
>function HmacSha1(pKey, pData)
>return sha1digest(pKey & sha1digest(pKey & pData))
>end HmacSha1
> 
> If you are doing this, then the current attack on SHA-1 does not affect the 
> security of your system at all [1].
> 


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

Thanks for that Peter! I've been thinking about a way to encrypt data for 
storage in database systems for things like passwords and server credentials. 
Now to figure out how to decrypt it...

Bob S


> On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode 
>  wrote:
> 
>function HmacSha1(pKey, pData)
>return sha1digest(pKey & sha1digest(pKey & pData))
>end HmacSha1


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 24/02/2017 18:47, axwald via use-livecode wrote:

few days ago I read about PHP incorporating a modern crypto lib now:

https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library


Not a specialist regarding this, but wouldn't it be possible to interface
such?

https://github.com/jedisct1/libsodium


@Lagi: The first customer already called to ask if I'd use "this security
risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
plausibly :)
Even if I agree with you about the real risk, it would be very bad idea not
to update any commercial software now. It might even have juristic
consequences, knowingly using broken crypto?


If you're using SHA-1 to implement an HMAC, you should already be using 
the recommended formulation:


hmac := hash(key | hash(key | message))

Or, in LiveCode:

function HmacSha1(pKey, pData)
return sha1digest(pKey & sha1digest(pKey & pData))
end HmacSha1

If you are doing this, then the current attack on SHA-1 does not affect 
the security of your system at all [1].


Peter

[1] I am not a cryptographer but this is my understanding of the situation.

--
Dr Peter Brett 
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Dan Brown via use-livecode]

For those interested there is a SHA-1 collider here to have a play with
https://alf.nu/SHA1

On 25 Feb 2017 3:18 p.m., "Dr. Hawkins via use-livecode" <
use-livecode@lists.runrev.com> wrote:

> On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode <
> use-livecode@lists.runrev.com> wrote:
>
> > While Google may include a backdoor (something I consider unlikely but I
> > realise that's no less conjecture than '100% certainty'), the Natural
> News
> > issue isn't what the site owners paint it to be. This
> > https://www.google.co.uk/amp/s/www.seroundtable.com/amp/
> > google-natural-news-deindex-23463.html is a good place to start for
> > reference.
> >
>
> Just reading a couple of paragraphs of that site was enough to tell me that
> the connection with reality was, well, tenable.   Black helicopters, the
> trilateral commission, VWRC, and Yeti conversations would have fit in . . .
>
>
> --
> Dr. Richard E. Hawkins, Esq.
> (702) 508-8462
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Dr. Hawkins via use-livecode]

On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode <
use-livecode@lists.runrev.com> wrote:

> While Google may include a backdoor (something I consider unlikely but I
> realise that's no less conjecture than '100% certainty'), the Natural News
> issue isn't what the site owners paint it to be. This
> https://www.google.co.uk/amp/s/www.seroundtable.com/amp/
> google-natural-news-deindex-23463.html is a good place to start for
> reference.
>

Just reading a couple of paragraphs of that site was enough to tell me that
the connection with reality was, well, tenable.   Black helicopters, the
trilateral commission, VWRC, and Yeti conversations would have fit in . . .


-- 
Dr. Richard E. Hawkins, Esq.
(702) 508-8462
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Keith Martin via use-livecode]

An aside response...

> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will  have a backdoor in it
> looking as to how they removed 140,000 indexed pages of www.naturalnews.com
> after the owner didn't give in to blackmail - "Don't be evil" my arse.

While Google may include a backdoor (something I consider unlikely but I 
realise that's no less conjecture than '100% certainty'), the Natural News 
issue isn't what the site owners paint it to be. This 
https://www.google.co.uk/amp/s/www.seroundtable.com/amp/google-natural-news-deindex-23463.html
 is a good place to start for reference.

k
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[axwald via use-livecode]

Hi,

few days ago I read about PHP incorporating a modern crypto lib now:
> https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library

Not a specialist regarding this, but wouldn't it be possible to interface
such?
> https://github.com/jedisct1/libsodium

@Lagi: The first customer already called to ask if I'd use "this security
risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
plausibly :)
Even if I agree with you about the real risk, it would be very bad idea not
to update any commercial software now. It might even have juristic
consequences, knowingly using broken crypto?

Anyway. Have fun!



-
• Livecode programming until the cat hits the fan •
--
View this message in context: 
http://runtime-revolution.278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-this-will-be-addressed-in-LC-tp4712554p4712617.html
Sent from the Revolution - User mailing list archive at Nabble.com.

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Bob Sneidar via use-livecode]

I dl'd and also sent him some money. 

Bob S


> On Feb 24, 2017, at 09:56 , Richard Gaskin via use-livecode 
>  wrote:
> 
> Peter covered why it should be done in C, but if you really need sha256 today 
> Mark Smith's libSHA includes a scripted version:
> 
> http://marksmith.on-rev.com/revstuff/
> 
> -- 
> Richard Gaskin


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Richard Gaskin via use-livecode]

Lagi Pittas wrote:

> Why does it need to be a part of the language and not a widget
> or a library stack which we can all fiddle with for our projects,
> which would make it more difficult for the bad boys to decrypt?

Peter covered why it should be done in C, but if you really need sha256 
today Mark Smith's libSHA includes a scripted version:


http://marksmith.on-rev.com/revstuff/

--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for Desktop, Mobile, and Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Peter TB Brett via use-livecode]

On 24/02/2017 17:18, Lagi Pittas via use-livecode wrote:

Why does it need to be a part of the language and not a widget or a library
stack which we can all fiddle with for our projects , which would make it
more difficult for the bad boys to decrypt?


Cryptographic hash implementations have a lot of fairly strict 
requirements that make them extremely difficult to implement in a 
language like LiveCode.  For example, they have to run in _exactly_ the 
same amount of time for the same number of bytes of input, no matter 
what those bytes are.


It would be good to have an external that provides a nice variety of 
cryptographic hashes, though.


Peter

--
Dr Peter Brett 
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Lagi Pittas via use-livecode]

Why does it need to be a part of the language and not a widget or a library
stack which we can all fiddle with for our projects , which would make it
more difficult for the bad boys to decrypt?


Lagi

On 24 February 2017 at 17:15, Tom Glod via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Its good to hear its being looked at by the core team. I trust the most
> obvious correct decision will be made eventually.
>
> On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode <
> use-livecode@lists.runrev.com> wrote:
>
> > As much as I enjoy chatting with other users, a while back I had hoped to
> > make this more actionable by submitting an enhancement request for
> sha256:
> >
> > http://quality.livecode.com/show_bug.cgi?id=14223
> >
> > The challenge with satisfying that request is two fold:
> >
> > - sha2 is not a single algo, but a family of algos, and requires new
> > syntax forms that have to be thought out in addition to the more complex
> > engineering work to support that new set of language design patterns.
> >
> > - This chart shows that sha2 already has minor weaknesses, which will
> > likely become more significant over time, suggesting we might already
> start
> > looking at extending the afore-mentioned framework even further to
> include
> > sha3 (and I suppose even be prepared for the inevitable sha4).
> > http://valerieaurora.org/hash.html
> >
> > All that said, in light of the visibility of the issue after the recent
> > Google research, I discussed this with a member of the core dev team
> > yesterday, who will be evaluating the merit of this more comprehensive
> > framework vs perhaps a simpler implementation of merely the most
> > commonly-use sha2 flavor for now.
> >
> > After that analysis is done I trust we'll get an update on that soon.
> >
> > For now, just rest assured that they read the same security bulletins we
> > do (Peter tends to read more than me, so I always pick up a trick or two
> > talking with him about security), and are actively exploring options for
> us.
> >
> > --
> >  Richard Gaskin
> >  Fourth World Systems
> >  Software Design and Development for Desktop, Mobile, and Web
> >  
> >  ambassa...@fourthworld.comhttp://www.FourthWorld.com
> >
> >
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
>
>
>
> --
> *Tom Glod*
>
> CEO @ *MakeShyft R.D.A* - www.makeshyft.com
>
>
>
> Developer of *U.M.P* - www.IamUMP.com
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Tom Glod via use-livecode]

Its good to hear its being looked at by the core team. I trust the most
obvious correct decision will be made eventually.

On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode <
use-livecode@lists.runrev.com> wrote:

> As much as I enjoy chatting with other users, a while back I had hoped to
> make this more actionable by submitting an enhancement request for sha256:
>
> http://quality.livecode.com/show_bug.cgi?id=14223
>
> The challenge with satisfying that request is two fold:
>
> - sha2 is not a single algo, but a family of algos, and requires new
> syntax forms that have to be thought out in addition to the more complex
> engineering work to support that new set of language design patterns.
>
> - This chart shows that sha2 already has minor weaknesses, which will
> likely become more significant over time, suggesting we might already start
> looking at extending the afore-mentioned framework even further to include
> sha3 (and I suppose even be prepared for the inevitable sha4).
> http://valerieaurora.org/hash.html
>
> All that said, in light of the visibility of the issue after the recent
> Google research, I discussed this with a member of the core dev team
> yesterday, who will be evaluating the merit of this more comprehensive
> framework vs perhaps a simpler implementation of merely the most
> commonly-use sha2 flavor for now.
>
> After that analysis is done I trust we'll get an update on that soon.
>
> For now, just rest assured that they read the same security bulletins we
> do (Peter tends to read more than me, so I always pick up a trick or two
> talking with him about security), and are actively exploring options for us.
>
> --
>  Richard Gaskin
>  Fourth World Systems
>  Software Design and Development for Desktop, Mobile, and Web
>  
>  ambassa...@fourthworld.comhttp://www.FourthWorld.com
>
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
*Tom Glod*

CEO @ *MakeShyft R.D.A* - www.makeshyft.com



Developer of *U.M.P* - www.IamUMP.com
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Richard Gaskin via use-livecode]

As much as I enjoy chatting with other users, a while back I had hoped 
to make this more actionable by submitting an enhancement request for 
sha256:


http://quality.livecode.com/show_bug.cgi?id=14223

The challenge with satisfying that request is two fold:

- sha2 is not a single algo, but a family of algos, and requires new 
syntax forms that have to be thought out in addition to the more complex 
engineering work to support that new set of language design patterns.


- This chart shows that sha2 already has minor weaknesses, which will 
likely become more significant over time, suggesting we might already 
start looking at extending the afore-mentioned framework even further to 
include sha3 (and I suppose even be prepared for the inevitable sha4).

http://valerieaurora.org/hash.html

All that said, in light of the visibility of the issue after the recent 
Google research, I discussed this with a member of the core dev team 
yesterday, who will be evaluating the merit of this more comprehensive 
framework vs perhaps a simpler implementation of merely the most 
commonly-use sha2 flavor for now.


After that analysis is done I trust we'll get an update on that soon.

For now, just rest assured that they read the same security bulletins we 
do (Peter tends to read more than me, so I always pick up a trick or two 
talking with him about security), and are actively exploring options for us.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for Desktop, Mobile, and Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Lagi Pittas via use-livecode]

Hi

I didn't say they shouldn't do it I said I won't lose any sleep over it.
I don't think it needs to be built in either - just a library will do and
everybody can tweak it a little bit so that NOBODY knows which one it is -
that'll piss TPTB off.

Lagi

On 24 February 2017 at 13:58, Dan Brown via use-livecode <
use-livecode@lists.runrev.com> wrote:

> It may cost $110,000 today but the computational cost of executing this
> exploit will decrease year on year until it is trivial to perform. I would
> think it much better to address this issue immediately so that applications
> being made now are future proofed.
>
> There is also the PR element to consider - Does Livecode really want to be
> advertising a demonstrably insecure hash algorithm as a feature...
>
> On Fri, Feb 24, 2017 at 10:44 AM, Lagi Pittas via use-livecode <
> use-livecode@lists.runrev.com> wrote:
>
> > I think everybody is overplaying this.
> >
> > It will only matter if the amount of money or other  advantages is worth
> at
> > least $110,000.
> >
> >
> > The algorithm executed in Amazons cloud at the cheapest rate would cost
> > that much in processing to get 1 key.
> >
> > The only people that will waste YOUR money to do this are governments and
> > they have the equipment.
> > If you really have something they want so much they will come through
> your
> > door.
> >
> > Depending on what you are doing why not do 2 SHA1 or even an blowfish
> > encrypt first.
> >
> > Better yet - you could write your own in a few  hours based on other code
> >  -  it doesnt have to be particular clever since they don't know the
> > algorithm how will they break it unless it's just a simple transposition?
> >
> > Read between the lines Google doesn't use it so obviously people will
> start
> > using Google's which will with 100% certainty will  have a backdoor in it
> > looking as to how they removed 140,000 indexed pages of
> > www.naturalnews.com
> > after the owner didn't give in to blackmail - "Don't be evil" my arse.
> >
> > http://www.newstarget.com/2017-02-23-breaking-mike-
> > adams-and-alex-jones-taken-down-by-google-cia-prior-to-
> > big-event-trump-needs-to-beware.html
> >
> >  A bit of history of backdoors and homegrown encryption algorithm
> > http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.
> > php#axzz4Zb6ctE4v
> >
> > I'm certainly not going to lose sleep over this.
> >
> >
> > Lagi
> >
> > On 24 February 2017 at 01:25, Tom Glod via use-livecode <
> > use-livecode@lists.runrev.com> wrote:
> >
> > > Hi everyone,
> > >
> > > Read this article today. I use SHA1 in my software, so
> > >
> > > https://www.recode.net/2017/2/23/14715570/google-
> > > researchers-crack-internet-security-tool-sha1-encryption
> > >
> > > What do you all think? Should I bother reporting this? or is it fair to
> > say
> > > they know about it?  What are the chances that there will be extra
> effort
> > > placed on adding another sha digest function? sha256?
> > >
> > > THanks
> > >
> > > Tom
> > > ___
> > > use-livecode mailing list
> > > use-livecode@lists.runrev.com
> > > Please visit this url to subscribe, unsubscribe and manage your
> > > subscription preferences:
> > > http://lists.runrev.com/mailman/listinfo/use-livecode
> > >
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Dan Brown via use-livecode]

It may cost $110,000 today but the computational cost of executing this
exploit will decrease year on year until it is trivial to perform. I would
think it much better to address this issue immediately so that applications
being made now are future proofed.

There is also the PR element to consider - Does Livecode really want to be
advertising a demonstrably insecure hash algorithm as a feature...

On Fri, Feb 24, 2017 at 10:44 AM, Lagi Pittas via use-livecode <
use-livecode@lists.runrev.com> wrote:

> I think everybody is overplaying this.
>
> It will only matter if the amount of money or other  advantages is worth at
> least $110,000.
>
>
> The algorithm executed in Amazons cloud at the cheapest rate would cost
> that much in processing to get 1 key.
>
> The only people that will waste YOUR money to do this are governments and
> they have the equipment.
> If you really have something they want so much they will come through your
> door.
>
> Depending on what you are doing why not do 2 SHA1 or even an blowfish
> encrypt first.
>
> Better yet - you could write your own in a few  hours based on other code
>  -  it doesnt have to be particular clever since they don't know the
> algorithm how will they break it unless it's just a simple transposition?
>
> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will  have a backdoor in it
> looking as to how they removed 140,000 indexed pages of
> www.naturalnews.com
> after the owner didn't give in to blackmail - "Don't be evil" my arse.
>
> http://www.newstarget.com/2017-02-23-breaking-mike-
> adams-and-alex-jones-taken-down-by-google-cia-prior-to-
> big-event-trump-needs-to-beware.html
>
>  A bit of history of backdoors and homegrown encryption algorithm
> http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.
> php#axzz4Zb6ctE4v
>
> I'm certainly not going to lose sleep over this.
>
>
> Lagi
>
> On 24 February 2017 at 01:25, Tom Glod via use-livecode <
> use-livecode@lists.runrev.com> wrote:
>
> > Hi everyone,
> >
> > Read this article today. I use SHA1 in my software, so
> >
> > https://www.recode.net/2017/2/23/14715570/google-
> > researchers-crack-internet-security-tool-sha1-encryption
> >
> > What do you all think? Should I bother reporting this? or is it fair to
> say
> > they know about it?  What are the chances that there will be extra effort
> > placed on adding another sha digest function? sha256?
> >
> > THanks
> >
> > Tom
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Tom Glod via use-livecode]

thanks for sharing your thoughts on this Lagi, you make some good points.

On Fri, Feb 24, 2017 at 5:44 AM, Lagi Pittas via use-livecode <
use-livecode@lists.runrev.com> wrote:

> I think everybody is overplaying this.
>
> It will only matter if the amount of money or other  advantages is worth at
> least $110,000.
>
>
> The algorithm executed in Amazons cloud at the cheapest rate would cost
> that much in processing to get 1 key.
>
> The only people that will waste YOUR money to do this are governments and
> they have the equipment.
> If you really have something they want so much they will come through your
> door.
>
> Depending on what you are doing why not do 2 SHA1 or even an blowfish
> encrypt first.
>
> Better yet - you could write your own in a few  hours based on other code
>  -  it doesnt have to be particular clever since they don't know the
> algorithm how will they break it unless it's just a simple transposition?
>
> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will  have a backdoor in it
> looking as to how they removed 140,000 indexed pages of
> www.naturalnews.com
> after the owner didn't give in to blackmail - "Don't be evil" my arse.
>
> http://www.newstarget.com/2017-02-23-breaking-mike-
> adams-and-alex-jones-taken-down-by-google-cia-prior-to-
> big-event-trump-needs-to-beware.html
>
>  A bit of history of backdoors and homegrown encryption algorithm
> http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.
> php#axzz4Zb6ctE4v
>
> I'm certainly not going to lose sleep over this.
>
>
> Lagi
>
> On 24 February 2017 at 01:25, Tom Glod via use-livecode <
> use-livecode@lists.runrev.com> wrote:
>
> > Hi everyone,
> >
> > Read this article today. I use SHA1 in my software, so
> >
> > https://www.recode.net/2017/2/23/14715570/google-
> > researchers-crack-internet-security-tool-sha1-encryption
> >
> > What do you all think? Should I bother reporting this? or is it fair to
> say
> > they know about it?  What are the chances that there will be extra effort
> > placed on adding another sha digest function? sha256?
> >
> > THanks
> >
> > Tom
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
*Tom Glod*

CEO @ *MakeShyft R.D.A* - www.makeshyft.com



Developer of *U.M.P* - www.IamUMP.com
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: SHA1 cracked .... What are the chances this will be addressed in LC?

[Lagi Pittas via use-livecode]

I think everybody is overplaying this.

It will only matter if the amount of money or other  advantages is worth at
least $110,000.


The algorithm executed in Amazons cloud at the cheapest rate would cost
that much in processing to get 1 key.

The only people that will waste YOUR money to do this are governments and
they have the equipment.
If you really have something they want so much they will come through your
door.

Depending on what you are doing why not do 2 SHA1 or even an blowfish
encrypt first.

Better yet - you could write your own in a few  hours based on other code
 -  it doesnt have to be particular clever since they don't know the
algorithm how will they break it unless it's just a simple transposition?

Read between the lines Google doesn't use it so obviously people will start
using Google's which will with 100% certainty will  have a backdoor in it
looking as to how they removed 140,000 indexed pages of www.naturalnews.com
after the owner didn't give in to blackmail - "Don't be evil" my arse.

http://www.newstarget.com/2017-02-23-breaking-mike-adams-and-alex-jones-taken-down-by-google-cia-prior-to-big-event-trump-needs-to-beware.html

 A bit of history of backdoors and homegrown encryption algorithm
http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.php#axzz4Zb6ctE4v

I'm certainly not going to lose sleep over this.


Lagi

On 24 February 2017 at 01:25, Tom Glod via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Hi everyone,
>
> Read this article today. I use SHA1 in my software, so
>
> https://www.recode.net/2017/2/23/14715570/google-
> researchers-crack-internet-security-tool-sha1-encryption
>
> What do you all think? Should I bother reporting this? or is it fair to say
> they know about it?  What are the chances that there will be extra effort
> placed on adding another sha digest function? sha256?
>
> THanks
>
> Tom
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode