Message 79282 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	ebfe, lemburg
Date	2009-01-06.20:17:52
SpamBayes Score	0.10777218
Marked as misclassified	No
Message-id	<4963BC6F.50104@egenix.com>
In-reply-to	<1231272376.79.0.422670760646.issue4858@psf.upfronthosting.co.za>

Content
On 2009-01-06 21:06, Lukas Lueg wrote: > MD5 is one of the most popular cryptographic hash-functions around, > mainly for it's good performance and availability throughout > applications and libraries. The MD5 algorithm is currently implemented > in python as part of the hashlib-module and (in more general terms) as > part of SSL in the ssl-module. However, concerns about the security of > MD5 have risen during the last few years. In 2007 a practical attack to > create collisions in the compression-function has been released and on > 12/31/2008 US-CERT issued a note to warn about the general insecurity of > MD5 (http://www.kb.cert.org/vuls/id/836068). > > > I propose and strongly suggest to start deprecate direct support for MD5 > during this year and completly remove support for it afterwards. A strong -1 on that idea. MD5 is in wide-spread use as hash function. It can no longer be considered a cryptographic hash function, but still serves its purpose as fast, easy to use general purpose hash function well. Removing it from Python would cripple Python for no apparent reason.

On 2009-01-06 21:06, Lukas Lueg wrote:
> MD5 is one of the most popular cryptographic hash-functions around,
> mainly for it's good performance and availability throughout
> applications and libraries. The MD5 algorithm is currently implemented
> in python as part of the hashlib-module and (in more general terms) as
> part of SSL in the ssl-module. However, concerns about the security of
> MD5 have risen during the last few years. In 2007 a practical attack to
> create collisions in the compression-function has been released and on
> 12/31/2008 US-CERT issued a note to warn about the general insecurity of
> MD5 (http://www.kb.cert.org/vuls/id/836068).
> 
> 
> I propose and strongly suggest to start deprecate direct support for MD5
> during this year and completly remove support for it afterwards.

A strong -1 on that idea.

MD5 is in wide-spread use as hash function. It can no longer
be considered a cryptographic hash function, but still serves its
purpose as fast, easy to use general purpose hash function well.

Removing it from Python would cripple Python for no apparent reason.

History
Date	User	Action	Args
2009-01-06 20:17:53	lemburg	set	recipients: + lemburg, ebfe
2009-01-06 20:17:53	lemburg	link	issue4858 messages
2009-01-06 20:17:53	lemburg	create