Issue 5212: Incorrect note about md5 in hmac module documentation

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/49462

classification

Title:	Incorrect note about md5 in hmac module documentation
Type:	security	Stage:
Components:	Documentation	Versions:	Python 3.1, Python 3.2, Python 2.7, Python 2.6

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	docs@python	Nosy List:	brainsik, docs@python, georg.brandl, terry.reedy
Priority:	normal	Keywords:

Created on 2009-02-11 00:39 by brainsik, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (6)
msg81615 - (view)	Author: .:. brainsik (brainsik)	Date: 2009-02-11 00:39
The HMAC module page [1] says: Note: The md5 hash has known weaknesses but remains the default for backwards compatibility. Choose a better one for your application. However, according to the "Hash Collision Q&A" [2] linked to from the hashlib module [3], md5 is not vulnerable when used in an HMAC: Q: Do these attacks break HMAC using MD5 or SHA-1? A: No. Because of the way hash functions are used in the HMAC construction, the techniques used in these recent attacks do not apply. It seems like the note is incorrect. 1. http://docs.python.org/library/hmac.html 2. http://www.cryptography.com/cnews/hash.html 3. http://docs.python.org/library/hashlib.html
msg81616 - (view)	Author: .:. brainsik (brainsik)	Date: 2009-02-11 00:44
Bruce Schneier also says (regarding the SHA-1 collision attacks), "it doesn't affect applications such as HMAC where collisions aren't important": http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
msg108667 - (view)	Author: Terry J. Reedy (terry.reedy) *	Date: 2010-06-26 00:50
Are you proposing that the note be removed entirely (and ignore the results it is based on) or just reworded? If it were removed, I could imagine complaints. If reword, specifically how?
msg108892 - (view)	Author: .:. brainsik (brainsik)	Date: 2010-06-29 05:05
Since the note is incorrect, it seems like it should be removed. What "results it is based on" are you referring to and what complaints are you concerned about?
msg108893 - (view)	Author: Terry J. Reedy (terry.reedy) *	Date: 2010-06-29 05:10
The supposed 'known weaknesses'. I have no particular opinion. Anyway, we have your recommendation: remove the note. I will let others defend it.
msg118923 - (view)	Author: Georg Brandl (georg.brandl) *	Date: 2010-10-17 10:09
Removed note in r85617.

History
Date	User	Action	Args
2022-04-11 14:56:45	admin	set	github: 49462
2010-10-17 10:09:15	georg.brandl	set	status: open -> closed resolution: fixed messages: + msg118923
2010-06-29 05:10:44	terry.reedy	set	messages: + msg108893
2010-06-29 05:05:08	brainsik	set	messages: + msg108892
2010-06-26 00:50:49	terry.reedy	set	assignee: georg.brandl -> docs@python messages: + msg108667 nosy: + terry.reedy, docs@python
2010-06-26 00:47:20	terry.reedy	set	versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.5, Python 3.0
2009-02-11 00:44:23	brainsik	set	messages: + msg81616
2009-02-11 00:39:50	brainsik	create