Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect note about md5 in hmac module documentation #49462

Closed
brainsik mannequin opened this issue Feb 11, 2009 · 6 comments
Closed

Incorrect note about md5 in hmac module documentation #49462

brainsik mannequin opened this issue Feb 11, 2009 · 6 comments
Labels
docs Documentation in the Doc dir type-security A security issue

Comments

@brainsik
Copy link
Mannequin

brainsik mannequin commented Feb 11, 2009

BPO 5212
Nosy @birkenfeld, @terryjreedy

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2010-10-17.10:09:15.815>
created_at = <Date 2009-02-11.00:39:50.578>
labels = ['type-security', 'docs']
title = 'Incorrect note about md5 in hmac module documentation'
updated_at = <Date 2010-10-17.10:09:15.813>
user = 'https://bugs.python.org/brainsik'

bugs.python.org fields:

activity = <Date 2010-10-17.10:09:15.813>
actor = 'georg.brandl'
assignee = 'docs@python'
closed = True
closed_date = <Date 2010-10-17.10:09:15.815>
closer = 'georg.brandl'
components = ['Documentation']
creation = <Date 2009-02-11.00:39:50.578>
creator = 'brainsik'
dependencies = []
files = []
hgrepos = []
issue_num = 5212
keywords = []
message_count = 6.0
messages = ['81615', '81616', '108667', '108892', '108893', '118923']
nosy_count = 4.0
nosy_names = ['georg.brandl', 'terry.reedy', 'brainsik', 'docs@python']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue5212'
versions = ['Python 2.6', 'Python 3.1', 'Python 2.7', 'Python 3.2']
@brainsik
Copy link
Mannequin Author

brainsik mannequin commented Feb 11, 2009

The HMAC module page [1] says:

Note: The md5 hash has known weaknesses but remains the default for
backwards compatibility. Choose a better one for your application.

However, according to the "Hash Collision Q&A" [2] linked to from the
hashlib module [3], md5 is not vulnerable when used in an HMAC:

Q: Do these attacks break HMAC using MD5 or SHA-1?
A: No. Because of the way hash functions are used in the HMAC
construction, the techniques used in these recent attacks do not apply.

It seems like the note is incorrect.

  1. http://docs.python.org/library/hmac.html
  2. http://www.cryptography.com/cnews/hash.html
  3. http://docs.python.org/library/hashlib.html

@brainsik brainsik mannequin assigned birkenfeld Feb 11, 2009
@brainsik brainsik mannequin added docs Documentation in the Doc dir type-security A security issue labels Feb 11, 2009
@brainsik
Copy link
Mannequin Author

brainsik mannequin commented Feb 11, 2009

Bruce Schneier also says (regarding the SHA-1 collision attacks), "it
doesn't affect applications such as HMAC where collisions aren't important":

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

@terryjreedy
Copy link
Member

Are you proposing that the note be removed entirely (and ignore the results it is based on) or just reworded? If it were removed, I could imagine complaints. If reword, specifically how?

@terryjreedy terryjreedy assigned docspython and unassigned birkenfeld Jun 26, 2010
@brainsik
Copy link
Mannequin Author

brainsik mannequin commented Jun 29, 2010

Since the note is incorrect, it seems like it should be removed. What "results it is based on" are you referring to and what complaints are you concerned about?

@terryjreedy
Copy link
Member

The supposed 'known weaknesses'. I have no particular opinion.
Anyway, we have your recommendation: remove the note.
I will let others defend it.

@birkenfeld
Copy link
Member

Removed note in r85617.

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Documentation in the Doc dir type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@birkenfeld @terryjreedy