Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revise hashlib documentation concerning SHA-1 and FIPS #129327

Open
ToxicMushroom opened this issue Jan 26, 2025 · 3 comments
Open

Revise hashlib documentation concerning SHA-1 and FIPS #129327

ToxicMushroom opened this issue Jan 26, 2025 · 3 comments
Labels
docs Documentation in the Doc dir

Comments

@ToxicMushroom
Copy link

ToxicMushroom commented Jan 26, 2025
edited by bedevere-app bot
Loading

Feature or enhancement

Proposal:

Removal of sha-1/Moving sha-1 out of the NIST set since it's been long broken and NIST no longer considers it secure + removed from the quoted FIPS 180 standards in the docs.

Source:

Has this already been discussed elsewhere?

No response given

Links to previous discussion of this feature:

No response

Linked PRs
@ToxicMushroom ToxicMushroom added the type-feature A feature request or enhancement label Jan 26, 2025
@Eclips4 Eclips4 added the type-security A security issue label Jan 26, 2025
@eli-schwartz
Copy link
Contributor

There is no hashlib.algorithms_nist, and the hashlib.algorithms_guaranteed has nothing to do with NIST guarantees as it even includes md5. It is just... well, guaranteed to be installed.

I think this means that the only change to make here is a documentation change, correct?

@picnixz picnixz added docs Documentation in the Doc dir and removed type-feature A feature request or enhancement type-security A security issue labels Jan 27, 2025
@picnixz
Copy link
Member

picnixz commented Jan 27, 2025
edited
Loading

MD5 is also broken as a cryptographic hash function but we won't remove since it can be used to compute file digests. But we can update the docs.

eli-schwartz added a commit to eli-schwartz/cpython that referenced this issue Jan 27, 2025
@eli-schwartz
pythongh-129327: revise hashlib documentation to account for FIPS rem…
960d84a 
…oving sha1
@bedevere-app bedevere-app bot mentioned this issue Jan 27, 2025
Open
eli-schwartz added a commit to eli-schwartz/cpython that referenced this issue Jan 27, 2025
@eli-schwartz
pythongh-129327: revise hashlib documentation to account for FIPS rem…
67c4294 
…oving sha1

More generally, the current documentation is a bit scattered, talking
about what terms are "equal" despite those terms not being very
interesting and given the term "secure hash", probably wrong (because
md5 and sha1 are not secure anymore).

Let's talk about cryptographically secure instead, and note that two of
them aren't. And then we can also link to the source for NIST going
through the removal process for SHA1.
@picnixz picnixz changed the title Removal of SHA-1 per NIST FIPS 180-4 recommendation Revise hashlib documentation concerning SHA-1 and FIPS Jan 27, 2025
@ToxicMushroom
Copy link
Author

Yeah if the docs are clear on it then it should be enough, ty :)

It came to my attention because I saw seafile using it for password hashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Documentation in the Doc dir
Projects
docs issues
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eli-schwartz @picnixz @ToxicMushroom @Eclips4