Python-Crypto

HMAC uses md5 by default

Bug #420528 reported by gimli5009 on 2009-08-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Python-Crypto	Confirmed	Wishlist	Unassigned

Bug Description

the HMAC module in Crypto.Hash.HMAC uses the md5 hash by default, md5 is a largely outdated hash with many known security vulnerabilities (see http://en.wikipedia.org/wiki/MD5#Vulnerability). I suggest changing the default to SHA-2 or not having one and instead having a user passing in a hash function that they believe to be secure.

Revision history for this message

Darsey Litzenberger (dlitz) wrote on 2010-05-29:

We can't change the default to SHA-2 without silently breaking people's code. The best we can do is to emit a warning when the default is relied upon, and eventually force the user to explicitly specify the hash function.

Changed in pycrypto:
status:	New → Confirmed
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.