Message 79297 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	ebfe, gregory.p.smith, lemburg, rhettinger
Date	2009-01-06.22:39:23
SpamBayes Score	0.20400515
Marked as misclassified	No
Message-id	<4963DD99.2090906@egenix.com>
In-reply-to	<1231279805.46.0.0725864851095.issue4858@psf.upfronthosting.co.za>

Content
On 2009-01-06 23:10, Lukas Lueg wrote: > Lukas Lueg <knabberknusperhaus@yahoo.de> added the comment: > >> It might be a good idea to remove the word "secure" from the >> hashlib documentation, since security of these algorithms is >> always limited to a certain period of time. > > I'm sorry, was that a boy attempted humor ? [Misuse quote from DH3: Check] No, it's the reality of life and one of the reasons why digitally signed data needs to be resigned every few years in order to keep the data secured and the legal status of the signature intact. Note that SHA-0 and -1 were broken in 2005: http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html In Germany, the BSI which corresponds to the NSA in the US, publishes a list of algorithms each year that are deemed safe, including their expiration year: http://www.bundesnetzagentur.de/enid/Veroeffentlichungen/Algorithmen_sw.html (in German) They regard SHA-1 as expired by the end of this year. For SHA-2 functions they give 2015 as expiry date. The NSA has similar guidelines: http://csrc.nist.gov/groups/ST/hash/statement.html They currently suggest using SHA-2 functions for crypto applications, but are also running a new contest for SHA-3: http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html > Anyway, in fact that might be a good idea: Reflect that the hashlib > module includes hash functions for the sake of compatibility and > interoperability and not everlasting security. BTW: Not sure what Deer Hunter 3 has to do with all this ;-) http://www.planetdeerhunter.com/dh3

On 2009-01-06 23:10, Lukas Lueg wrote:
> Lukas Lueg <knabberknusperhaus@yahoo.de> added the comment:
> 
>> It might be a good idea to remove the word "secure" from the
>> hashlib documentation, since security of these algorithms is
>> always limited to a certain period of time.
> 
> I'm sorry, was that a boy attempted humor ? [Misuse quote from DH3: Check]

No, it's the reality of life and one of the reasons why digitally
signed data needs to be resigned every few years in order to keep
the data secured and the legal status of the signature intact.

Note that SHA-0 and -1 were broken in 2005:

    http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html

In Germany, the BSI which corresponds to the NSA in the US, publishes
a list of algorithms each year that are deemed safe, including their
expiration year:

    http://www.bundesnetzagentur.de/enid/Veroeffentlichungen/Algorithmen_sw.html
    (in German)

They regard SHA-1 as expired by the end of this year. For SHA-2 functions
they give 2015 as expiry date.

The NSA has similar guidelines:

    http://csrc.nist.gov/groups/ST/hash/statement.html

They currently suggest using SHA-2 functions for crypto applications,
but are also running a new contest for SHA-3:

    http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html

> Anyway, in fact that might be a good idea: Reflect that the hashlib
> module includes hash functions for the sake of compatibility and
> interoperability and not everlasting security.

BTW: Not sure what Deer Hunter 3 has to do with all this ;-)

    http://www.planetdeerhunter.com/dh3

History
Date	User	Action	Args
2009-01-06 22:39:24	lemburg	set	recipients: + lemburg, rhettinger, gregory.p.smith, ebfe
2009-01-06 22:39:23	lemburg	link	issue4858 messages
2009-01-06 22:39:23	lemburg	create