|
|
Subscribe / Log in / New account

The first CyanogenMod 13.0 release

The first CyanogenMod 13.0 release

Posted Mar 16, 2016 20:11 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
In reply to: The first CyanogenMod 13.0 release by juliank
Parent article: The first CyanogenMod 13.0 release

That's incorrect. HMAC-SHA1 is a perfectly fine combination, even if SHA-1 is not a particularly strong hash these days.

HMAC in SSL is used only for transient hashes, it needs to be strong only for about 60 seconds (a typical connection timeout).

SHA-1 in certificates is bad because certificates stay valid for extended periods.

to post comments

The first CyanogenMod 13.0 release

Posted Mar 16, 2016 21:42 UTC (Wed) by juliank (guest, #45896) [Link]

It really does not matter, people still think it's unsafe :D

The first CyanogenMod 13.0 release

Posted Mar 17, 2016 7:41 UTC (Thu) by Otus (subscriber, #67685) [Link] (1 responses)

> SHA-1 in certificates is bad because certificates stay valid for extended periods.

While that is true, it is not the main reason SHA-1 is bad in one instance and okay in another. It is because as a signature hash it allows collision attacks, while using it as a MAC or KDF only allows (second) preimage attacks.

The first CyanogenMod 13.0 release

Posted Mar 17, 2016 9:44 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

HMACs are salted with random data, so pre-imaging attacks won't work.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds