<br><br><div class="gmail_quote">On Sun, Jun 10, 2012 at 9:11 AM, Nick Coghlan <span dir="ltr"><<a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Mon, Jun 11, 2012 at 1:52 AM, Masklinn <<a href="mailto:masklinn@masklinn.net">masklinn@masklinn.net</a>> wrote:<br>
> On 2012-06-10, at 17:28 , Nick Coghlan wrote:<br>
</div><div class="im">>> 1. Create an issue on <a href="http://bugs.python.org" target="_blank">bugs.python.org</a> proposing just the binary<br>
>> version of pbkdf2 as an enhancement to hmac<br>
><br>
> Although it makes sense from a dependency POV, I'm not sure it's the<br>
> best place to put it as people in need of knowing about PBKDF2 would<br>
> be more likely to be browsing hashlib, and — more importantly — PBKDF2<br>
> isn't a MAC, the usage of hmac underlying it being mostly incidental.<br>
><br>
> If PBKDF2 alone is added, I think putting it in its own module<br>
> (parallel to hmac) would be cleaner, *that* can be deprecated if<br>
> more cryptographic hashes of that style (e.g. bcrypt, scrypt) are<br>
> added later on in the style of md5 -> hashlib.<br>
<br>
</div>Yeah, you're probably right. Either a new module, or else in "getpass"<br>
(either way, with a cross-reference from hashlib).<br>
<br>
Wherever it ends up, it should also reference hmac.secure_compare for<br>
a comparison function that doesn't allowing timing attacks to<br>
progressively discover the expected hash.<br>
<div class="im HOEnZb"><br></div></blockquote><div><br></div><div>I'd just stick it in hmac myself but getpass was also a good suggestion. Cross reference to it from the docs of all three as the real goal of adding pbkdf2 is to advertise it to users so that they might use it rather than something more naive.</div>
<div><br></div><div>hashlib itself should be kept pure as is for standard low level hash algorithms. It can't have a dependency on anything else.</div><div><br></div><div>Even if this doesn't make it into the stdlib in time for 3.3, feel free to update the getpass, hmac and/or hashlib docs to point to the pbkdf2 module externally as a suggestion for passphrase/secret hashing.</div>
<div><br></div><div>-gps</div></div>