Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Thanks Peter. I see some things in there that help me understand better what the salting does. I will probably incorporate this in my app fairly soon. I store passwords for various things, and want to make sure they are as secure as possible. Once I get it working I think I will put up a sample stack using these algo's. Bob S > On Mar 7, 2017, at 08:04 , Peter TB Brett via use-livecode > wrote: > > On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote: >> Thanks Peter. But then how will I know programmatically if the password is >> correct or not? > > Hi Bob, > > Here's a worked example of what I'm talking about. > > Peter ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote: Thanks Peter. But then how will I know programmatically if the password is correct or not? Hi Bob, Here's a worked example of what I'm talking about. Peter - /* Compute a hash-based message authentication code using the SHA-1 hash. This is broken; it should correctly follow RFC 2104. */ private function hmacSha1 pKey, pMessage return sha1digest(pKey & sha1digest(pKey & pMessage)) end hmacSha1 /* Generate a 160-bit salt value suitable for use when storing a password */ private function generateSalt return randomBytes(20) end generateSalt /* Convert the specified cleartext password string to an secure string suitable for storage using the specified salt, which should be a base 64-encoded string. */ private function securePassword pPasswordString, pSaltData local tPasswordData put textEncode(pPasswordString, "UTF-8") into tPasswordData return base64Encode(pSaltData) & comma & \ base64Encode(hmacSha1(pSaltData, tPasswordData)) end securePassword /* Get the salt part of a secured password string */ private function getSecurePasswordSalt pSecurePassword return base64Decode(item 1 of pSecurePassword) end getSecurePasswordSalt /* Store a new password. Use this when a user creates a new account or changes their password for any reason */ function storePassword pPasswordString return securePassword(pPasswordString, generateSalt()) end storePassword /* Verify a password. Use this when a user tries to log in. Returns true if the password is correct and false otherwise. */ function verifyPassword pPasswordString, pSecurePassword local tSaltData, tTrialString put getSecurePasswordSalt(pSecurePassword) into tSaltData put securePassword(pPasswordString, tSaltData) into tTrialString return tTrialString is pSecurePassword end verifyPassword - private command _testAssert pDesc, pCondition if pCondition then put "ok -" && pDesc & return after msg else put "not ok -" && pDesc & return after msg end if end _testAssert command _testPasswordDemo local tSecured put storePassword("correct horse battery staple") into tSecured put "# Stored:" && tSecured & return into msg _testAssert "bad password", \ not verifyPassword("hunter2", tSecured) _testAssert "good password", \ verifyPassword("correct horse battery staple", tSecured) end _testPasswordDemo ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
NVM I think I see. I hash the user's password entry and compare the value to what is stored. But if the stored hash is an asymmetric one and cannot be decrypted, what is all the fuss about? Rainbow tables are all that is left, and you cannot create rainbow tables for every possible methodology. I'm wondering if this is much ado about nothing? No matter how a password is stored, it can always theoretically be compromised once someone gains access to the storage system. I get that having a different seed for each password makes it more difficult to be able to decrypt a captured hash in transit, but passwords MUST be stored somewhere, and if so, then encrypted, and if so, then never completely safely. Bob S > On Mar 7, 2017, at 07:28 , Bob Sneidar via use-livecode > wrote: > >> Hi Bob, >> >> The "encrypt" command provides symmetric cryptographic functions, i.e. >> you can decrypt the result again to get the cleartext back. This is _not_ a >> desirable property for a password storage system; you should always use >> one-way (asymmetric) functions, such as a cryptographic hash. >> >> Peter >> >> -- >> Dr Peter Brett ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
You encrypt the trial password and compare the encrypted values. Bill William Prothero http://ed.earthednet.org > On Mar 7, 2017, at 3:28 PM, Bob Sneidar via use-livecode > wrote: > > Thanks Peter. But then how will I know programmatically if the password is > correct or not? > > Bob S > > >> On Mar 6, 2017, at 02:53 , Peter TB Brett via use-livecode >> wrote: >> >> >> >>> On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote: >>> It looks like the encrypt command is already using this method if >>> the "with salt" arguement is provided? At least the encrypted result >>> starts with "salted" and at least part of the salt value. >>> >> >> Hi Bob, >> >> The "encrypt" command provides symmetric cryptographic functions, i.e. >> you can decrypt the result again to get the cleartext back. This is _not_ a >> desirable property for a password storage system; you should always use >> one-way (asymmetric) functions, such as a cryptographic hash. >> >> Peter >> >> -- >> Dr Peter Brett > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Thanks Peter. But then how will I know programmatically if the password is correct or not? Bob S > On Mar 6, 2017, at 02:53 , Peter TB Brett via use-livecode > wrote: > > > > On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote: >> It looks like the encrypt command is already using this method if >> the "with salt" arguement is provided? At least the encrypted result >> starts with "salted" and at least part of the salt value. >> > > Hi Bob, > > The "encrypt" command provides symmetric cryptographic functions, i.e. > you can decrypt the result again to get the cleartext back. This is _not_ a > desirable property for a password storage system; you should always use > one-way (asymmetric) functions, such as a cryptographic hash. > > Peter > > -- > Dr Peter Brett ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote: It looks like the encrypt command is already using this method if the "with salt" arguement is provided? At least the encrypted result starts with "salted" and at least part of the salt value. Hi Bob, The "encrypt" command provides symmetric cryptographic functions, i.e. you can decrypt the result again to get the cleartext back. This is _not_ a desirable property for a password storage system; you should always use one-way (asymmetric) functions, such as a cryptographic hash. Peter -- Dr Peter Brett lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
this discussion has been very useful on many fronts. I'm going to have fewer nightmares about security. On Fri, Mar 3, 2017 at 1:00 PM, Bob Sneidar via use-livecode < use-livecode@lists.runrev.com> wrote: > It looks like the encrypt command is already using this method if the > "with salt" arguement is provided? At least the encrypted result starts > with "salted" and at least part of the salt value. > > Bob S > > > > On Mar 1, 2017, at 07:37 , Bob Sneidar via use-livecode < > use-livecode@lists.runrev.com> wrote: > > > > Hi Peter. Very informative thank you. In the example, > > > > [protected form] = [salt] + protect([protection func], [salt] + > [credential]); > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > -- *Tom Glod* CEO @ *MakeShyft R.D.A* - www.makeshyft.com Developer of *U.M.P* - www.IamUMP.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
It looks like the encrypt command is already using this method if the "with salt" arguement is provided? At least the encrypted result starts with "salted" and at least part of the salt value. Bob S > On Mar 1, 2017, at 07:37 , Bob Sneidar via use-livecode > wrote: > > Hi Peter. Very informative thank you. In the example, > > [protected form] = [salt] + protect([protection func], [salt] + [credential]); ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 02/03/2017 19:28, Alejandro Tejada via use-livecode wrote: How difficult would be to guess a sha1 digest, if we repeat it many, many times? Just as Peter Brett wrote in a previous message: put sha1Digest(sha1Digest(sha1Digest(tData))) -- 3 times! Don't do this. It will make it _easier_ to generate collisions, because each successive iteration loses some information from the input -- i.e. the scheme you suggest _reduces_ security. When performing repeated hashing, you need to feed the original data in again at each stage. See this Stack Overflow answer for a very detailed explanation: https://stackoverflow.com/a/17396367/266449 The summary is that you need the following formulation to ensure security for repeated hashing: put sha1Digest(tData & sha1Digest(tData & sha1Digest(tData))) -- etcetera. Peter -- Dr Peter Brett LiveCode Technical Project Manager lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
SHA1 cracked .... What are the chances this will be addressed in LC?
How difficult would be to guess a sha1 digest, if we repeat it many, many times? Just as Peter Brett wrote in a previous message: put sha1Digest(sha1Digest(sha1Digest(tData))) -- 3 times! Al ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Excellent points Axwald especially the last paragraph. Happy Happy Happy Fun Fun Fun!! ;-) On 2 March 2017 at 10:20, axwald via use-livecode < use-livecode@lists.runrev.com> wrote: > Hi, > > > Dr Peter Brett wrote > > On 24/02/2017 18:47, axwald via use-livecode wrote: > > [...] > >> Not a specialist regarding this, but wouldn't it be possible to > interface > >> such? > >>> https://github.com/jedisct1/libsodium > >> > >> @Lagi: The first customer already called to ask if I'd use "this > security > >> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny > >> [...] > > > > If you're using SHA-1 to implement an HMAC, you should already be using > > the recommended formulation: > > > > hmac := hash(key | hash(key | message)) [...] > > What I meant mentioning the "LibHash-Hmac" lib is that it contains a > "sha256digest" function already that is, to my understanding at least, a > SHA2 implementation. And that it's not only about the real danger of having > one's hash cracked, it's more about the publicity this crack received, and > the nosy questions that are coming in now from customers that read about it > in the news. And, for sure, will never understand any detailed explanation. > > The other thing, about libsodium, was the idea not to roll our own crypto > code, but instead to interface a commonly used, audited, verified & > accepted > open source crypto library. And just provide the wrapper as a plugin. > No idea if such would be possible - this is beyond my knowledge. But for > real security sensitive coding there's no way but to use audited code > anyways. It would be a great benefit to have such available in LiveCode, > IMHO. > > Another benefit would be that such a wrapper plugin could be made available > not only for the most bleeding edge versions of LC - so that commercial > coders that are forced to use more settled versions for speed, productivity > & reliability are not left out in the dark & cold, again. > > Have fun! > > > > - > • Livecode programming until the cat hits the fan • > -- > View this message in context: http://runtime-revolution. > 278305.n4.nabble.com/SHA1-cracked-What-are-the-chances- > this-will-be-addressed-in-LC-tp4712554p4712777.html > Sent from the Revolution - User mailing list archive at Nabble.com. > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Hi, Dr Peter Brett wrote > On 24/02/2017 18:47, axwald via use-livecode wrote: > [...] >> Not a specialist regarding this, but wouldn't it be possible to interface >> such? >>> https://github.com/jedisct1/libsodium >> >> @Lagi: The first customer already called to ask if I'd use "this security >> risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny >> [...] > > If you're using SHA-1 to implement an HMAC, you should already be using > the recommended formulation: > > hmac := hash(key | hash(key | message)) [...] What I meant mentioning the "LibHash-Hmac" lib is that it contains a "sha256digest" function already that is, to my understanding at least, a SHA2 implementation. And that it's not only about the real danger of having one's hash cracked, it's more about the publicity this crack received, and the nosy questions that are coming in now from customers that read about it in the news. And, for sure, will never understand any detailed explanation. The other thing, about libsodium, was the idea not to roll our own crypto code, but instead to interface a commonly used, audited, verified & accepted open source crypto library. And just provide the wrapper as a plugin. No idea if such would be possible - this is beyond my knowledge. But for real security sensitive coding there's no way but to use audited code anyways. It would be a great benefit to have such available in LiveCode, IMHO. Another benefit would be that such a wrapper plugin could be made available not only for the most bleeding edge versions of LC - so that commercial coders that are forced to use more settled versions for speed, productivity & reliability are not left out in the dark & cold, again. Have fun! ----- • Livecode programming until the cat hits the fan • -- View this message in context: http://runtime-revolution.278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-this-will-be-addressed-in-LC-tp4712554p4712777.html Sent from the Revolution - User mailing list archive at Nabble.com. ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
SHA1 cracked .... What are the chances this will be addressed in LC?
Peter Brett wrote: > Hold your horses, Richard, I'm still waiting for the official > Mark Waddingham stamp of approval for making changes > to the LiveCode language! > There's a still a chance that it'll change a bit before it > actually makes its way into a release. This is real good news! :D Any chance that we get BZip2, Deflate and ZLib compression too? http://quality.livecode.com/show_bug.cgi?id=10594 Al ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 01/03/2017 18:22, Richard Gaskin via use-livecode wrote: The answer turns out to be: "Quite good - pull request submitted, status changed to 'Awaiting Build'" - i.e. "done!" http://quality.livecode.com/show_bug.cgi?id=14223 Many thanks to Peter Brett for addressing this, and implementing it in such a nice way. Hold your horses, Richard, I'm still waiting for the official Mark Waddingham stamp of approval for making changes to the LiveCode language! There's a still a chance that it'll change a bit before it actually makes its way into a release. Peter ;-) -- Dr Peter Brett LiveCode Technical Project Manager lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
This thread title asks: "What are the chances this will be addressed in LC?" The answer turns out to be: "Quite good - pull request submitted, status changed to 'Awaiting Build'" - i.e. "done!" http://quality.livecode.com/show_bug.cgi?id=14223 Many thanks to Peter Brett for addressing this, and implementing it in such a nice way. From the pull request linked to in the bug report it seems we now have a new messageDigest function: get messageDigest( , ) (Note: there's discussion in the pull request about the param order, and I'm inferring here; the actual implementation may be the other way around, with type first and then message - Peter, Monte, where did that land?) ...where (if I read the notes correctly; Peter please correct me if I'm wrong) can be any of the following: md5 sha1 sha2 sha3 Awesome! With those we should be set for several years. This will mean that from v9.0 dp6 forward you'll probably want to avoid using the older md5Digest and sha1Digest functions in favor of this new syntax. If you need the older hash algos the new function apparently supports them, but of course if you need a cryptographic-quality hash use sha2 or sha3. -- Richard Gaskin Fourth World Systems Software Design and Development for the Desktop, Mobile, and the Web ambassa...@fourthworld.comhttp://www.FourthWorld.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 01/03/2017 15:37, Bob Sneidar via use-livecode wrote: Hi Peter. Very informative thank you. In the example, [protected form] = [salt] + protect([protection func], [salt] + [credential]); It looks like they are saying to prepent the salt prior to the protect function (in the case of LC that would be encrypt) but if someone got access to the SQL database, wouldn't that give part of the secret away? Isn't the salt value a way to further obscure the credential, making something like a hash table more difficult? I use a salt value that only I know, and I password protect the stack that uses it. Seems to me that prepending the salt to the protected form is like giving someone my user name but not my password. The other team is starting on the 50 yard line (in American sports vernacular). The idea of a password storage scheme is to make it extremely costly for an attacker to recover the original passwords, even given _total_ information about the scheme. When evaluating a scheme, you should always assume that if someone has got access to your password database, they have also got access to anything else on that server or any server connected to it -- potentially including your secret salt. By appending the salt to the front of the protected form, you can use a different salt for every single password in your database. Even if someone knows a password already (e.g. because they have an account on your server), they gain no information about any of the other passwords in the database. Password storage schemes like Argon2 go one step further and put all of the parameters for the protected form into the protected string. This allows the parameters to be modified for newly-stored passwords while still being able to verify old passwords. They are also tuned to ensure that it takes a long time to compute the protected form (usually around 0.1 to 0.5 ms). That's long enough that knowing _all_ the parameters still makes it infeasible to figure out what the original password was. In summary: salt values shouldn't need to be secret. Peter -- Dr Peter Brett LiveCode Technical Project Manager lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Hi Peter. Very informative thank you. In the example, [protected form] = [salt] + protect([protection func], [salt] + [credential]); It looks like they are saying to prepent the salt prior to the protect function (in the case of LC that would be encrypt) but if someone got access to the SQL database, wouldn't that give part of the secret away? Isn't the salt value a way to further obscure the credential, making something like a hash table more difficult? I use a salt value that only I know, and I password protect the stack that uses it. Seems to me that prepending the salt to the protected form is like giving someone my user name but not my password. The other team is starting on the 50 yard line (in American sports vernacular). Bob S > On Mar 1, 2017, at 02:31 , Peter TB Brett via use-livecode > wrote: > > If you are handling passwords, then this is a pretty decent page with good > guidelines on how to do it safely and securely: > > https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 28/02/2017 15:46, Bob Sneidar via use-livecode wrote: Thanks for that Peter! I've been thinking about a way to encrypt data for storage in database systems for things like passwords and server credentials. Now to figure out how to decrypt it... Hi Bob, Never store user passwords in clear text, or in any encoding that can be reversed. Both message digest algorithms and HMACs are intended to be *one-way* functions -- this is one of their important properties. If you are handling passwords, then this is a pretty decent page with good guidelines on how to do it safely and securely: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Note that the HMAC definition I posted earlier is a simplified version; it would probably be a good idea to have a library that provides the full spec described in https://tools.ietf.org/html/rfc2104 Also, I'm wondering whether to add an Argon2 or PBKDF2 implementation to the engine to help with this. Peter -- Dr Peter Brett LiveCode Technical Project Manager lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
NVM I'm a moron. It's there but I overlooked it. Bob S > On Feb 28, 2017, at 12:27 , Richard Gaskin via use-livecode > wrote: > > I had written "shaONEdigest" only to draw attention to the "1" ("ONE"), just > in case you'd tried "l" ("L") instead. > > It's in there. Has been for years. Not sure why you're not seeing it. > > -- > Richard Gaskin ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Bob Sneidar wrote: >> On Feb 28, 2017, at 09:33 , Richard Gaskin wrote: >> Bob Sneidar wrote: >> >> > I cannot find a function called sha1digest in the LC library. >> >> It's sha-ONE-digest, and it's been around for a while so it should >> be there. >> > > I search for SHA in the dictionary, nada. I type sha1digest in to a > script, right click it, nada. I type shaONEdigest in a script, right > click it, nada. I had written "shaONEdigest" only to draw attention to the "1" ("ONE"), just in case you'd tried "l" ("L") instead. It's in there. Has been for years. Not sure why you're not seeing it. -- Richard Gaskin Fourth World Systems Software Design and Development for the Desktop, Mobile, and the Web ambassa...@fourthworld.comhttp://www.FourthWorld.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
One thing I discovered just now: the items listed in the API tab of the Dictionary are not necessarily in alphabetic order by default. I discovered it by typing 'sh' into the Filter box and looking at the list, top to bottom. Things weren't where I expected them to be! After I clicked the 'Name' column header, however, the list was alphabetic by Name. AND I found sha1Digest in there. Phil On 2/28/17 12:00 PM, Mark Wieder via use-livecode wrote: On 02/28/2017 11:05 AM, Bob Sneidar via use-livecode wrote: I search for SHA in the dictionary, nada. It's in the dictionary. Maybe you have a filter enabled that's masking it? -- Phil Davis ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
However, this works: put sha1Digest("dfgdfgdghgdhfgh") So we know it's there. FWIW - Phil Davis On 2/28/17 11:05 AM, Bob Sneidar via use-livecode wrote: I search for SHA in the dictionary, nada. I type sha1digest in to a script, right click it, nada. I type shaONEdigest in a script, right click it, nada. Bob S On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode wrote: Bob Sneidar wrote: I cannot find a function called sha1digest in the LC library. It's sha-ONE-digest, and it's been around for a while so it should be there. -- Richard Gaskin ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode -- Phil Davis ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 02/28/2017 11:05 AM, Bob Sneidar via use-livecode wrote: I search for SHA in the dictionary, nada. It's in the dictionary. Maybe you have a filter enabled that's masking it? -- Mark Wieder ahsoftw...@gmail.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
I search for SHA in the dictionary, nada. I type sha1digest in to a script, right click it, nada. I type shaONEdigest in a script, right click it, nada. Bob S > On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode > wrote: > > Bob Sneidar wrote: > > > I cannot find a function called sha1digest in the LC library. > > It's sha-ONE-digest, and it's been around for a while so it should be there. > > -- > Richard Gaskin ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Bob Sneidar wrote: > I cannot find a function called sha1digest in the LC library. It's sha-ONE-digest, and it's been around for a while so it should be there. -- Richard Gaskin Fourth World Systems Software Design and Development for the Desktop, Mobile, and the Web ambassa...@fourthworld.comhttp://www.FourthWorld.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
err... This does not work. I cannot find a function called sha1digest in the LC library. Bob S > On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode > wrote: > > Or, in LiveCode: > >function HmacSha1(pKey, pData) >return sha1digest(pKey & sha1digest(pKey & pData)) >end HmacSha1 > > If you are doing this, then the current attack on SHA-1 does not affect the > security of your system at all [1]. > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Thanks for that Peter! I've been thinking about a way to encrypt data for storage in database systems for things like passwords and server credentials. Now to figure out how to decrypt it... Bob S > On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode > wrote: > >function HmacSha1(pKey, pData) >return sha1digest(pKey & sha1digest(pKey & pData)) >end HmacSha1 ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 24/02/2017 18:47, axwald via use-livecode wrote: few days ago I read about PHP incorporating a modern crypto lib now: https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library Not a specialist regarding this, but wouldn't it be possible to interface such? https://github.com/jedisct1/libsodium @Lagi: The first customer already called to ask if I'd use "this security risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny plausibly :) Even if I agree with you about the real risk, it would be very bad idea not to update any commercial software now. It might even have juristic consequences, knowingly using broken crypto? If you're using SHA-1 to implement an HMAC, you should already be using the recommended formulation: hmac := hash(key | hash(key | message)) Or, in LiveCode: function HmacSha1(pKey, pData) return sha1digest(pKey & sha1digest(pKey & pData)) end HmacSha1 If you are doing this, then the current attack on SHA-1 does not affect the security of your system at all [1]. Peter [1] I am not a cryptographer but this is my understanding of the situation. -- Dr Peter Brett LiveCode Technical Project Manager lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
For those interested there is a SHA-1 collider here to have a play with https://alf.nu/SHA1 On 25 Feb 2017 3:18 p.m., "Dr. Hawkins via use-livecode" < use-livecode@lists.runrev.com> wrote: > On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode < > use-livecode@lists.runrev.com> wrote: > > > While Google may include a backdoor (something I consider unlikely but I > > realise that's no less conjecture than '100% certainty'), the Natural > News > > issue isn't what the site owners paint it to be. This > > https://www.google.co.uk/amp/s/www.seroundtable.com/amp/ > > google-natural-news-deindex-23463.html is a good place to start for > > reference. > > > > Just reading a couple of paragraphs of that site was enough to tell me that > the connection with reality was, well, tenable. Black helicopters, the > trilateral commission, VWRC, and Yeti conversations would have fit in . . . > > > -- > Dr. Richard E. Hawkins, Esq. > (702) 508-8462 > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode < use-livecode@lists.runrev.com> wrote: > While Google may include a backdoor (something I consider unlikely but I > realise that's no less conjecture than '100% certainty'), the Natural News > issue isn't what the site owners paint it to be. This > https://www.google.co.uk/amp/s/www.seroundtable.com/amp/ > google-natural-news-deindex-23463.html is a good place to start for > reference. > Just reading a couple of paragraphs of that site was enough to tell me that the connection with reality was, well, tenable. Black helicopters, the trilateral commission, VWRC, and Yeti conversations would have fit in . . . -- Dr. Richard E. Hawkins, Esq. (702) 508-8462 ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
An aside response... > Read between the lines Google doesn't use it so obviously people will start > using Google's which will with 100% certainty will have a backdoor in it > looking as to how they removed 140,000 indexed pages of www.naturalnews.com > after the owner didn't give in to blackmail - "Don't be evil" my arse. While Google may include a backdoor (something I consider unlikely but I realise that's no less conjecture than '100% certainty'), the Natural News issue isn't what the site owners paint it to be. This https://www.google.co.uk/amp/s/www.seroundtable.com/amp/google-natural-news-deindex-23463.html is a good place to start for reference. k ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Hi, few days ago I read about PHP incorporating a modern crypto lib now: > https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library Not a specialist regarding this, but wouldn't it be possible to interface such? > https://github.com/jedisct1/libsodium @Lagi: The first customer already called to ask if I'd use "this security risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny plausibly :) Even if I agree with you about the real risk, it would be very bad idea not to update any commercial software now. It might even have juristic consequences, knowingly using broken crypto? Anyway. Have fun! - • Livecode programming until the cat hits the fan • -- View this message in context: http://runtime-revolution.278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-this-will-be-addressed-in-LC-tp4712554p4712617.html Sent from the Revolution - User mailing list archive at Nabble.com. ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
I dl'd and also sent him some money. Bob S > On Feb 24, 2017, at 09:56 , Richard Gaskin via use-livecode > wrote: > > Peter covered why it should be done in C, but if you really need sha256 today > Mark Smith's libSHA includes a scripted version: > > http://marksmith.on-rev.com/revstuff/ > > -- > Richard Gaskin ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Lagi Pittas wrote: > Why does it need to be a part of the language and not a widget > or a library stack which we can all fiddle with for our projects, > which would make it more difficult for the bad boys to decrypt? Peter covered why it should be done in C, but if you really need sha256 today Mark Smith's libSHA includes a scripted version: http://marksmith.on-rev.com/revstuff/ -- Richard Gaskin Fourth World Systems Software Design and Development for Desktop, Mobile, and Web ambassa...@fourthworld.comhttp://www.FourthWorld.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
On 24/02/2017 17:18, Lagi Pittas via use-livecode wrote: Why does it need to be a part of the language and not a widget or a library stack which we can all fiddle with for our projects , which would make it more difficult for the bad boys to decrypt? Cryptographic hash implementations have a lot of fairly strict requirements that make them extremely difficult to implement in a language like LiveCode. For example, they have to run in _exactly_ the same amount of time for the same number of bytes of input, no matter what those bytes are. It would be good to have an external that provides a nice variety of cryptographic hashes, though. Peter -- Dr Peter Brett LiveCode Technical Project Manager lcb-mode for Emacs: https://github.com/peter-b/lcb-mode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Why does it need to be a part of the language and not a widget or a library stack which we can all fiddle with for our projects , which would make it more difficult for the bad boys to decrypt? Lagi On 24 February 2017 at 17:15, Tom Glod via use-livecode < use-livecode@lists.runrev.com> wrote: > Its good to hear its being looked at by the core team. I trust the most > obvious correct decision will be made eventually. > > On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode < > use-livecode@lists.runrev.com> wrote: > > > As much as I enjoy chatting with other users, a while back I had hoped to > > make this more actionable by submitting an enhancement request for > sha256: > > > > http://quality.livecode.com/show_bug.cgi?id=14223 > > > > The challenge with satisfying that request is two fold: > > > > - sha2 is not a single algo, but a family of algos, and requires new > > syntax forms that have to be thought out in addition to the more complex > > engineering work to support that new set of language design patterns. > > > > - This chart shows that sha2 already has minor weaknesses, which will > > likely become more significant over time, suggesting we might already > start > > looking at extending the afore-mentioned framework even further to > include > > sha3 (and I suppose even be prepared for the inevitable sha4). > > http://valerieaurora.org/hash.html > > > > All that said, in light of the visibility of the issue after the recent > > Google research, I discussed this with a member of the core dev team > > yesterday, who will be evaluating the merit of this more comprehensive > > framework vs perhaps a simpler implementation of merely the most > > commonly-use sha2 flavor for now. > > > > After that analysis is done I trust we'll get an update on that soon. > > > > For now, just rest assured that they read the same security bulletins we > > do (Peter tends to read more than me, so I always pick up a trick or two > > talking with him about security), and are actively exploring options for > us. > > > > -- > > Richard Gaskin > > Fourth World Systems > > Software Design and Development for Desktop, Mobile, and Web > > > > ambassa...@fourthworld.comhttp://www.FourthWorld.com > > > > > > ___ > > use-livecode mailing list > > use-livecode@lists.runrev.com > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > > > > -- > *Tom Glod* > > CEO @ *MakeShyft R.D.A* - www.makeshyft.com > > > > Developer of *U.M.P* - www.IamUMP.com > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Its good to hear its being looked at by the core team. I trust the most obvious correct decision will be made eventually. On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode < use-livecode@lists.runrev.com> wrote: > As much as I enjoy chatting with other users, a while back I had hoped to > make this more actionable by submitting an enhancement request for sha256: > > http://quality.livecode.com/show_bug.cgi?id=14223 > > The challenge with satisfying that request is two fold: > > - sha2 is not a single algo, but a family of algos, and requires new > syntax forms that have to be thought out in addition to the more complex > engineering work to support that new set of language design patterns. > > - This chart shows that sha2 already has minor weaknesses, which will > likely become more significant over time, suggesting we might already start > looking at extending the afore-mentioned framework even further to include > sha3 (and I suppose even be prepared for the inevitable sha4). > http://valerieaurora.org/hash.html > > All that said, in light of the visibility of the issue after the recent > Google research, I discussed this with a member of the core dev team > yesterday, who will be evaluating the merit of this more comprehensive > framework vs perhaps a simpler implementation of merely the most > commonly-use sha2 flavor for now. > > After that analysis is done I trust we'll get an update on that soon. > > For now, just rest assured that they read the same security bulletins we > do (Peter tends to read more than me, so I always pick up a trick or two > talking with him about security), and are actively exploring options for us. > > -- > Richard Gaskin > Fourth World Systems > Software Design and Development for Desktop, Mobile, and Web > > ambassa...@fourthworld.comhttp://www.FourthWorld.com > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > -- *Tom Glod* CEO @ *MakeShyft R.D.A* - www.makeshyft.com Developer of *U.M.P* - www.IamUMP.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
As much as I enjoy chatting with other users, a while back I had hoped to make this more actionable by submitting an enhancement request for sha256: http://quality.livecode.com/show_bug.cgi?id=14223 The challenge with satisfying that request is two fold: - sha2 is not a single algo, but a family of algos, and requires new syntax forms that have to be thought out in addition to the more complex engineering work to support that new set of language design patterns. - This chart shows that sha2 already has minor weaknesses, which will likely become more significant over time, suggesting we might already start looking at extending the afore-mentioned framework even further to include sha3 (and I suppose even be prepared for the inevitable sha4). http://valerieaurora.org/hash.html All that said, in light of the visibility of the issue after the recent Google research, I discussed this with a member of the core dev team yesterday, who will be evaluating the merit of this more comprehensive framework vs perhaps a simpler implementation of merely the most commonly-use sha2 flavor for now. After that analysis is done I trust we'll get an update on that soon. For now, just rest assured that they read the same security bulletins we do (Peter tends to read more than me, so I always pick up a trick or two talking with him about security), and are actively exploring options for us. -- Richard Gaskin Fourth World Systems Software Design and Development for Desktop, Mobile, and Web ambassa...@fourthworld.comhttp://www.FourthWorld.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
Hi I didn't say they shouldn't do it I said I won't lose any sleep over it. I don't think it needs to be built in either - just a library will do and everybody can tweak it a little bit so that NOBODY knows which one it is - that'll piss TPTB off. Lagi On 24 February 2017 at 13:58, Dan Brown via use-livecode < use-livecode@lists.runrev.com> wrote: > It may cost $110,000 today but the computational cost of executing this > exploit will decrease year on year until it is trivial to perform. I would > think it much better to address this issue immediately so that applications > being made now are future proofed. > > There is also the PR element to consider - Does Livecode really want to be > advertising a demonstrably insecure hash algorithm as a feature... > > On Fri, Feb 24, 2017 at 10:44 AM, Lagi Pittas via use-livecode < > use-livecode@lists.runrev.com> wrote: > > > I think everybody is overplaying this. > > > > It will only matter if the amount of money or other advantages is worth > at > > least $110,000. > > > > > > The algorithm executed in Amazons cloud at the cheapest rate would cost > > that much in processing to get 1 key. > > > > The only people that will waste YOUR money to do this are governments and > > they have the equipment. > > If you really have something they want so much they will come through > your > > door. > > > > Depending on what you are doing why not do 2 SHA1 or even an blowfish > > encrypt first. > > > > Better yet - you could write your own in a few hours based on other code > > - it doesnt have to be particular clever since they don't know the > > algorithm how will they break it unless it's just a simple transposition? > > > > Read between the lines Google doesn't use it so obviously people will > start > > using Google's which will with 100% certainty will have a backdoor in it > > looking as to how they removed 140,000 indexed pages of > > www.naturalnews.com > > after the owner didn't give in to blackmail - "Don't be evil" my arse. > > > > http://www.newstarget.com/2017-02-23-breaking-mike- > > adams-and-alex-jones-taken-down-by-google-cia-prior-to- > > big-event-trump-needs-to-beware.html > > > > A bit of history of backdoors and homegrown encryption algorithm > > http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge. > > php#axzz4Zb6ctE4v > > > > I'm certainly not going to lose sleep over this. > > > > > > Lagi > > > > On 24 February 2017 at 01:25, Tom Glod via use-livecode < > > use-livecode@lists.runrev.com> wrote: > > > > > Hi everyone, > > > > > > Read this article today. I use SHA1 in my software, so > > > > > > https://www.recode.net/2017/2/23/14715570/google- > > > researchers-crack-internet-security-tool-sha1-encryption > > > > > > What do you all think? Should I bother reporting this? or is it fair to > > say > > > they know about it? What are the chances that there will be extra > effort > > > placed on adding another sha digest function? sha256? > > > > > > THanks > > > > > > Tom > > > ___ > > > use-livecode mailing list > > > use-livecode@lists.runrev.com > > > Please visit this url to subscribe, unsubscribe and manage your > > > subscription preferences: > > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > > > ___ > > use-livecode mailing list > > use-livecode@lists.runrev.com > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
It may cost $110,000 today but the computational cost of executing this exploit will decrease year on year until it is trivial to perform. I would think it much better to address this issue immediately so that applications being made now are future proofed. There is also the PR element to consider - Does Livecode really want to be advertising a demonstrably insecure hash algorithm as a feature... On Fri, Feb 24, 2017 at 10:44 AM, Lagi Pittas via use-livecode < use-livecode@lists.runrev.com> wrote: > I think everybody is overplaying this. > > It will only matter if the amount of money or other advantages is worth at > least $110,000. > > > The algorithm executed in Amazons cloud at the cheapest rate would cost > that much in processing to get 1 key. > > The only people that will waste YOUR money to do this are governments and > they have the equipment. > If you really have something they want so much they will come through your > door. > > Depending on what you are doing why not do 2 SHA1 or even an blowfish > encrypt first. > > Better yet - you could write your own in a few hours based on other code > - it doesnt have to be particular clever since they don't know the > algorithm how will they break it unless it's just a simple transposition? > > Read between the lines Google doesn't use it so obviously people will start > using Google's which will with 100% certainty will have a backdoor in it > looking as to how they removed 140,000 indexed pages of > www.naturalnews.com > after the owner didn't give in to blackmail - "Don't be evil" my arse. > > http://www.newstarget.com/2017-02-23-breaking-mike- > adams-and-alex-jones-taken-down-by-google-cia-prior-to- > big-event-trump-needs-to-beware.html > > A bit of history of backdoors and homegrown encryption algorithm > http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge. > php#axzz4Zb6ctE4v > > I'm certainly not going to lose sleep over this. > > > Lagi > > On 24 February 2017 at 01:25, Tom Glod via use-livecode < > use-livecode@lists.runrev.com> wrote: > > > Hi everyone, > > > > Read this article today. I use SHA1 in my software, so > > > > https://www.recode.net/2017/2/23/14715570/google- > > researchers-crack-internet-security-tool-sha1-encryption > > > > What do you all think? Should I bother reporting this? or is it fair to > say > > they know about it? What are the chances that there will be extra effort > > placed on adding another sha digest function? sha256? > > > > THanks > > > > Tom > > ___ > > use-livecode mailing list > > use-livecode@lists.runrev.com > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
thanks for sharing your thoughts on this Lagi, you make some good points. On Fri, Feb 24, 2017 at 5:44 AM, Lagi Pittas via use-livecode < use-livecode@lists.runrev.com> wrote: > I think everybody is overplaying this. > > It will only matter if the amount of money or other advantages is worth at > least $110,000. > > > The algorithm executed in Amazons cloud at the cheapest rate would cost > that much in processing to get 1 key. > > The only people that will waste YOUR money to do this are governments and > they have the equipment. > If you really have something they want so much they will come through your > door. > > Depending on what you are doing why not do 2 SHA1 or even an blowfish > encrypt first. > > Better yet - you could write your own in a few hours based on other code > - it doesnt have to be particular clever since they don't know the > algorithm how will they break it unless it's just a simple transposition? > > Read between the lines Google doesn't use it so obviously people will start > using Google's which will with 100% certainty will have a backdoor in it > looking as to how they removed 140,000 indexed pages of > www.naturalnews.com > after the owner didn't give in to blackmail - "Don't be evil" my arse. > > http://www.newstarget.com/2017-02-23-breaking-mike- > adams-and-alex-jones-taken-down-by-google-cia-prior-to- > big-event-trump-needs-to-beware.html > > A bit of history of backdoors and homegrown encryption algorithm > http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge. > php#axzz4Zb6ctE4v > > I'm certainly not going to lose sleep over this. > > > Lagi > > On 24 February 2017 at 01:25, Tom Glod via use-livecode < > use-livecode@lists.runrev.com> wrote: > > > Hi everyone, > > > > Read this article today. I use SHA1 in my software, so > > > > https://www.recode.net/2017/2/23/14715570/google- > > researchers-crack-internet-security-tool-sha1-encryption > > > > What do you all think? Should I bother reporting this? or is it fair to > say > > they know about it? What are the chances that there will be extra effort > > placed on adding another sha digest function? sha256? > > > > THanks > > > > Tom > > ___ > > use-livecode mailing list > > use-livecode@lists.runrev.com > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > -- *Tom Glod* CEO @ *MakeShyft R.D.A* - www.makeshyft.com Developer of *U.M.P* - www.IamUMP.com ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: SHA1 cracked .... What are the chances this will be addressed in LC?
I think everybody is overplaying this. It will only matter if the amount of money or other advantages is worth at least $110,000. The algorithm executed in Amazons cloud at the cheapest rate would cost that much in processing to get 1 key. The only people that will waste YOUR money to do this are governments and they have the equipment. If you really have something they want so much they will come through your door. Depending on what you are doing why not do 2 SHA1 or even an blowfish encrypt first. Better yet - you could write your own in a few hours based on other code - it doesnt have to be particular clever since they don't know the algorithm how will they break it unless it's just a simple transposition? Read between the lines Google doesn't use it so obviously people will start using Google's which will with 100% certainty will have a backdoor in it looking as to how they removed 140,000 indexed pages of www.naturalnews.com after the owner didn't give in to blackmail - "Don't be evil" my arse. http://www.newstarget.com/2017-02-23-breaking-mike-adams-and-alex-jones-taken-down-by-google-cia-prior-to-big-event-trump-needs-to-beware.html A bit of history of backdoors and homegrown encryption algorithm http://www.whatreallyhappened.com/WRHARTICLES/NSAchallenge.php#axzz4Zb6ctE4v I'm certainly not going to lose sleep over this. Lagi On 24 February 2017 at 01:25, Tom Glod via use-livecode < use-livecode@lists.runrev.com> wrote: > Hi everyone, > > Read this article today. I use SHA1 in my software, so > > https://www.recode.net/2017/2/23/14715570/google- > researchers-crack-internet-security-tool-sha1-encryption > > What do you all think? Should I bother reporting this? or is it fair to say > they know about it? What are the chances that there will be extra effort > placed on adding another sha digest function? sha256? > > THanks > > Tom > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
SHA1 cracked .... What are the chances this will be addressed in LC?
Hi everyone, Read this article today. I use SHA1 in my software, so https://www.recode.net/2017/2/23/14715570/google-researchers-crack-internet-security-tool-sha1-encryption What do you all think? Should I bother reporting this? or is it fair to say they know about it? What are the chances that there will be extra effort placed on adding another sha digest function? sha256? THanks Tom ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode