Message 182553 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	sbt
Recipients	christian.heimes, dmalcolm, sbt
Date	2013-02-20.21:16:03
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1361394963.82.0.312281425588.issue17258@psf.upfronthosting.co.za>
In-reply-to

Content
Banning md5 as a matter of policy may be perfectly sensible. However, I think the way multiprocessing uses hmac authentication is not affected by the collision attacks the advisory talks about. These depend on the attacker being able to determine for himself whether a particular candidate string is a "solution". But with the way multiprocessing uses hmac authentication there is no way for the attacker to check for himself whether a candidate string has the desired hash: he does not know what the desired hash value is, or even what the hash function is. (The effective hash function, though built on top of md5, depends on the secret key.)

Banning md5 as a matter of policy may be perfectly sensible.

However, I think the way multiprocessing uses hmac authentication is *not* affected by the collision attacks the advisory talks about.  These depend on the attacker being able to determine for himself whether a particular candidate string is a "solution".

But with the way multiprocessing uses hmac authentication there is no way for the attacker to check for himself whether a candidate string has the desired hash: he does not know what the desired hash value is, or even what the hash function is.  (The effective hash function, though built on top of md5, depends on the secret key.)

History
Date	User	Action	Args
2013-02-20 21:16:03	sbt	set	recipients: + sbt, christian.heimes, dmalcolm
2013-02-20 21:16:03	sbt	set	messageid: <1361394963.82.0.312281425588.issue17258@psf.upfronthosting.co.za>
2013-02-20 21:16:03	sbt	link	issue17258 messages
2013-02-20 21:16:03	sbt	create