From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 2BDDB1F934 for ; Mon, 26 Oct 2020 01:12:45 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 309CF1209DA; Mon, 26 Oct 2020 10:12:04 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id D196A1209CE for ; Mon, 26 Oct 2020 10:12:01 +0900 (JST) Received: by filterdrecv-p3iad2-64988c98cc-6t8kp with SMTP id filterdrecv-p3iad2-64988c98cc-6t8kp-19-5F962281-67 2020-10-26 01:12:33.705494643 +0000 UTC m=+188255.888633818 Received: from herokuapp.com (unknown) by ismtpd0122p1mdw1.sendgrid.net (SG) with ESMTP id saHxgvfuTA62pqo3nQzEtQ for ; Mon, 26 Oct 2020 01:12:33.594 +0000 (UTC) Date: Mon, 26 Oct 2020 01:12:33 +0000 (UTC) From: shyouhei@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 76411 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Feature X-Redmine-Issue-Id: 17282 X-Redmine-Issue-Author: olivierlacan X-Redmine-Sender: shyouhei X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?jcfQDMoo=2FMGCmP3uu1SeyLQUxUPXq5PjHpHz3xSFn15txXlVst2rPBT1eesPSe?= =?us-ascii?Q?VP=2Fg=2FDqcc12bFqMFw=2FEoA84R4TsOshJZz5qViiK?= =?us-ascii?Q?fNtKb0ThKJsGvcyVA6BnGBs88C8WkwR=2FR5JYtEE?= =?us-ascii?Q?vTRuVrC=2F+cVOKLhv4m3McsjtaKY0gKU5b7FMrH+?= =?us-ascii?Q?26NEpXaGVHHvF9nfNc11+F+Hi8fIuhB=2FIgLAUbc?= =?us-ascii?Q?ukIELrZr8q0Zd+2Z0=3D?= To: ruby-core@ruby-lang.org X-Entity-ID: b/2+PoftWZ6GuOu3b0IycA== X-ML-Name: ruby-core X-Mail-Count: 100541 Subject: [ruby-core:100541] [Ruby master Feature#17282] Deprecate Digest::SHA1 X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #17282 has been updated by shyouhei (Shyouhei Urabe). Status changed from Open to Third Party's Issue Digest is now a separate project. https://github.com/ruby/digest P.S. I want "2nd party's issue" status. `ruby/digets` is not a 3rd party. ---------------------------------------- Feature #17282: Deprecate Digest::SHA1 https://bugs.ruby-lang.org/issues/17282#change-88169 * Author: olivierlacan (Olivier Lacan) * Status: Third Party's Issue * Priority: Normal ---------------------------------------- In light of the widespread deprecation of SHA1 due to collision risk it poses, should Ruby still expose it without a warning within Digest::SHA1? [FIPS PUB 180-1](https://csrc.nist.gov/publications/detail/fips/180/1/archive/1995-04-17) which is referenced by the [Digest::SHA1 documentation](https://docs.ruby-lang.org/en/master/Digest/SHA1.html) was withdraw on August 01, 2002, superseded by [FIPS 180-2](https://csrc.nist.gov/publications/detail/fips/180/2/archive/2002-08-01) (which introduced SHA-256, SHA-384, and SHA-512), and later withdrawn and superseded multiple times until [FIPS 180-4](https://csrc.nist.gov/publications/detail/fips/180/4/final) which recommends SHA3. SHA3 isn't currently supported by the Digest class although there exists Ruby gem implementations: - https://github.com/johanns/sha3 - https://github.com/phusion/digest-sha3-ruby References: - https://mailarchive.ietf.org/arch/msg/openpgp/Rp-inhYKT8A9H5E34iLTrc9I0gc/ - https://csrc.nist.gov/news/2017/research-results-on-sha-1-collisions - https://csrc.nist.gov/publications/detail/sp/800-131a/rev-1/archive/2015-11-06 - https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final Quoting from NIST's piece on research regarding SHA1 collisions: > NIST deprecated the use of SHA-1 in 2011 and disallowed its use for digital signatures at the end of 2013, based on both the Wang, et. al, attack and the potential for brute-force attack. To ensure that practitioners have secure and efficient hash algorithms to provide long-term security, NIST organized an international competition to select a new hash algorithm standard, SHA-3, which is specified in FIPS 202. My recommendation would be to print a deprecation warning when Digest::SHA1 is used to alert Ruby users that they should perhaps upgrade to a safer standard. SHA3 should perhaps be supported by Digest as well. -- https://bugs.ruby-lang.org/