On 6/12/26 20:37, Peter Gutmann wrote:
Robert Rothenberg <[email protected]> writes:
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm
and number of iterations.
The default algorithm is HMAC-SHA1, which should only be used for legacy
systems.
Minor nit, there's actually nothing wrong with HMAC-SHA1 since the HMAC
construct prevents all of the attacks on SHA1. Even the rather broken MD5 is
still fine if used in an HMAC construct.
Does the shorter output length (128 bits for MD5; 160 bits for SHA-1)
cause problems? Has the general advance of computing power caught up to
HMAC-MD5 and HMAC-SHA1, or do they remain secure? (Similar to how DES
remains unbroken in the cryptanalytic sense, but its 56-bit keyspace is
now vulnerable to brute force.)
-- Jacob