Message 159759 - Python tracker

Message159759

Author	Jon.Oberheide
Recipients	Jon.Oberheide, neologix, pitrou, r.david.murray, sbt, vstinner
Date	2012-05-01.15:40:55
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1335886856.1.0.808474976986.issue14532@psf.upfronthosting.co.za>
In-reply-to

Content
> You should explain what you already said: it is not a risk because the > length of a HMAC is fixed. Well, that's not entirely accurate. Exposing the length of the HMAC can expose what underlying hash is being used (eg. HMAC-SHA1 has different length than HMAC-MD5). It's generally not considered a risk since exposing the algorithm being used shouldn't impact your security (unless you're doing it very wrong).

Content

> You should explain what you already said: it is not a risk because the
> length of a HMAC is fixed.

Well, that's not entirely accurate. Exposing the length of the HMAC can expose what underlying hash is being used (eg. HMAC-SHA1 has different length than HMAC-MD5). It's generally not considered a risk since exposing the algorithm being used shouldn't impact your security (unless you're doing it very wrong).

History
Date	User	Action	Args
2012-05-01 15:40:56	Jon.Oberheide	set	recipients: + Jon.Oberheide, pitrou, vstinner, r.david.murray, neologix, sbt
2012-05-01 15:40:56	Jon.Oberheide	set	messageid: <1335886856.1.0.808474976986.issue14532@psf.upfronthosting.co.za>
2012-05-01 15:40:55	Jon.Oberheide	link	issue14532 messages
2012-05-01 15:40:55	Jon.Oberheide	create