Re: sha1, sha2 functions into core?
| От | Andrew Dunstan |
|---|---|
| Тема | Re: sha1, sha2 functions into core? |
| Дата | |
| Msg-id | 502BC7B5.8080206@dunslane.net обсуждение исходный текст |
| Ответ на | Re: sha1, sha2 functions into core? (Bruce Momjian <bruce@momjian.us>) |
| Список | pgsql-hackers |
On 08/15/2012 11:48 AM, Bruce Momjian wrote: > On Wed, Aug 15, 2012 at 11:37:04AM -0400, Andrew Dunstan wrote: >> On 08/15/2012 11:22 AM, Joe Conway wrote: >>> On 08/15/2012 06:48 AM, Tom Lane wrote: >>>>> On Wed, Aug 15, 2012 at 6:11 AM, Bruce Momjian <bruce@momjian.us> wrote: >>>>>> Is there a TODO here? >>>> If anybody's concerned about the security of our password storage, >>>> they'd be much better off working on improving the length and randomness >>>> of the salt string than replacing the md5 hash per se. >>> Or change to an md5 HMAC rather than straight md5 with salt. Last I >>> checked (which admittedly was a while ago) there were still no known >>> cryptographic weaknesses associated with an HMAC based on md5. >>> >> >> >> Possibly. I still think the right time to revisit this whole area >> will be when the NIST Hash Function competition ends supposedly >> later this year. See >> <http://csrc.nist.gov/groups/ST/hash/timeline.html>. At that time we >> should probably consider moving our password handling to use the new >> standard function. > Are we really going to be comforable with a algorithm that is new? > The only thing that will be new about it will be that it's the new standard. There is a reason these crypto function competitions runs for quite a few years. cheers andrew
В списке pgsql-hackers по дате отправления: