Any reason to not use SHA256 (or newer) for Signer / TimeStampSigner classess?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Any reason to not use SHA256 (or newer) for Signer / TimeStampSigner classess?

Cristiano Coelho
Looks like the Signer class (and perhaps other parts of the code) still use SHA1 ([1] and [2]) for the HMAC signing/hashing process.

I'm wondering if there's any specific reason to use SHA1 over newer versions, or if it would be worth it to pass the hash algorithm as a variable or even config option.



[1] https://github.com/django/django/blob/master/django/core/signing.py#L45
[2] https://github.com/django/django/blob/master/django/utils/crypto.py#L23

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a86b456a-2a01-44d4-8100-be7ca62ead40%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any reason to not use SHA256 (or newer) for Signer / TimeStampSigner classess?

Tim Graham-2
There's a ticket about it: https://code.djangoproject.com/ticket/27468

Backwards compatibility is the main consideration.

On Tuesday, May 8, 2018 at 6:44:05 PM UTC-4, Cristiano Coelho wrote:
Looks like the Signer class (and perhaps other parts of the code) still use SHA1 ([1] and [2]) for the HMAC signing/hashing process.

I'm wondering if there's any specific reason to use SHA1 over newer versions, or if it would be worth it to pass the hash algorithm as a variable or even config option.



[1] <a href="https://github.com/django/django/blob/master/django/core/signing.py#L45" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Fcore%2Fsigning.py%23L45\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHP-7vpsTUV_CGTTLN3GZnxaSVAnw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Fcore%2Fsigning.py%23L45\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHP-7vpsTUV_CGTTLN3GZnxaSVAnw&#39;;return true;">https://github.com/django/django/blob/master/django/core/signing.py#L45
[2] <a href="https://github.com/django/django/blob/master/django/utils/crypto.py#L23" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Futils%2Fcrypto.py%23L23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFKYgwnyhy4eE2YxsCR326mq9k0NQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Futils%2Fcrypto.py%23L23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFKYgwnyhy4eE2YxsCR326mq9k0NQ&#39;;return true;">https://github.com/django/django/blob/master/django/utils/crypto.py#L23

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/f4e7193c-a164-44de-8462-94312876b203%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any reason to not use SHA256 (or newer) for Signer / TimeStampSigner classess?

Cristiano Coelho
Right, that backwards compatibility issue seems quite difficult to solve, although if the worst thing to happen is that all users are logged out, it shouldn't be that bad. Will read the ticket in detail.

El martes, 8 de mayo de 2018, 20:31:28 (UTC-3), Tim Graham escribió:
There's a ticket about it: <a href="https://code.djangoproject.com/ticket/27468" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fcode.djangoproject.com%2Fticket%2F27468\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH52LaTALltfWK0cUxiUcimVlzF2Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fcode.djangoproject.com%2Fticket%2F27468\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH52LaTALltfWK0cUxiUcimVlzF2Q&#39;;return true;">https://code.djangoproject.com/ticket/27468

Backwards compatibility is the main consideration.

On Tuesday, May 8, 2018 at 6:44:05 PM UTC-4, Cristiano Coelho wrote:
Looks like the Signer class (and perhaps other parts of the code) still use SHA1 ([1] and [2]) for the HMAC signing/hashing process.

I'm wondering if there's any specific reason to use SHA1 over newer versions, or if it would be worth it to pass the hash algorithm as a variable or even config option.



[1] <a href="https://github.com/django/django/blob/master/django/core/signing.py#L45" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Fcore%2Fsigning.py%23L45\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHP-7vpsTUV_CGTTLN3GZnxaSVAnw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Fcore%2Fsigning.py%23L45\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHP-7vpsTUV_CGTTLN3GZnxaSVAnw&#39;;return true;">https://github.com/django/django/blob/master/django/core/signing.py#L45
[2] <a href="https://github.com/django/django/blob/master/django/utils/crypto.py#L23" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Futils%2Fcrypto.py%23L23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFKYgwnyhy4eE2YxsCR326mq9k0NQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fblob%2Fmaster%2Fdjango%2Futils%2Fcrypto.py%23L23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFKYgwnyhy4eE2YxsCR326mq9k0NQ&#39;;return true;">https://github.com/django/django/blob/master/django/utils/crypto.py#L23

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/6cdfdeca-e8f1-4cda-8c28-f623136e88be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any reason to not use SHA256 (or newer) for Signer / TimeStampSigner classess?

Florian Apolloner


On Thursday, May 10, 2018 at 1:31:43 AM UTC+2, Cristiano Coelho wrote:
Right, that backwards compatibility issue seems quite difficult to solve, although if the worst thing to happen is that all users are logged out, it shouldn't be that bad. Will read the ticket in detail.

That is not the worst thing; it will invalidate __anything__ relying on signing. And even "just" log outs are a major issue for bigger sites.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/33f182e0-e8f1-4095-8755-2ce262c203a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.