[Cryptography-dev] Is SHA-1 secure when used in HMAC and PBKDF2?
David Lord
davidism at gmail.com
Wed Mar 15 13:48:40 EDT 2017
Hello cryptography,
Over at the Flask repos, we've had a number of requests to use SHA-256
instead of SHA-1 in a couple places.
Werkzeug defaults to SHA-1 as part of PBKDF2 to generate password hashes.
ItsDangerous defaults to SHA-1 as part of HMAC signatures.
After some discussion I concluded that as used in those two methods,
SHA-1's collision issues were not relevant.
However, I'd like to get a second opinion from the cryptography experts.
I can change the default to SHA-256, but if it's not actually making things
more secure then that's just increasing time and space for no reason.
Thanks,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20170315/a3a00c1f/attachment.html>
More information about the Cryptography-dev
mailing list