On 24/02/2017 18:47, axwald via use-livecode wrote:
few days ago I read about PHP incorporating a modern crypto lib now:

Not a specialist regarding this, but wouldn't it be possible to interface

@Lagi: The first customer already called to ask if I'd use "this security
risk" - thanks "LibHash-Hmac" (Richard posted the URL) I could deny
plausibly :)
Even if I agree with you about the real risk, it would be very bad idea not
to update any commercial software now. It might even have juristic
consequences, knowingly using broken crypto?

If you're using SHA-1 to implement an HMAC, you should already be using the recommended formulation:

    hmac := hash(key | hash(key | message))

Or, in LiveCode:

    function HmacSha1(pKey, pData)
        return sha1digest(pKey & sha1digest(pKey & pData))
    end HmacSha1

If you are doing this, then the current attack on SHA-1 does not affect the security of your system at all [1].


[1] I am not a cryptographer but this is my understanding of the situation.

Dr Peter Brett <peter.br...@livecode.com>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

use-livecode mailing list
Please visit this url to subscribe, unsubscribe and manage your subscription 

Reply via email to