Remove SHA-1 (once and for all) #2551
Comments
|
SHA-1 is still allowed (but phased out) by NIST until 2030. NIST Retires SHA-1 Cryptographic Algorithm:
keylength.com → According to keylength.com, SHA-1 is still allowed by NIST until 2030 (and beyond?) for HMAC, KMAC, key derivation functions and random bit generation. |
|
Options for SHA-1:
|
|
A general point of view for the legacy support - ASVS v5.0 does not need to support or "legalize" old technologies if those provide a practical attack surface. For the requirement, the point of view should be - if you start building a new application today, what kind of requirements (and not just recommendations) do you need to apply for that? And for legacy systems - is the requirement that critical and important, that legacy systems must update themselves, otherwise there is a vulnerability. |
elarlang
added
V6
1) Discussion ongoing
|
Here are the exact status from NIST SP 800-131A Rev. 2:
Here are the exact status from NIST SP 800-131A Rev. 3 (Initial Public Draft):
|
|
You applications will be future proof and more secure if you keep away from SHA-1. The advances in quantum computing, quantum networking and high speed computing in just the last few months is remarkable. |
|
@randomstuff what would this change in V6 (or elsewhere?) |
|
This would remove HMAC-SHA1 which in all honesty, it probably should be gone now. LEaving MD5/SHA-1/any broken hash or cipher in a standard should be for backwards compatibility and verification of old hashes ONLY, in general. |
|
Perhaps the solution here is to have three sets of crypto guidance.
I really do not want to encourage any new development with SHA-1, and I feel we would be irresponsible if we did. But I do realize legacy use of it, in some cases, is not always a security violation, at least not yet, even if it may be in the near future. |
|
@jmanico, Yes, maybe. Actually, I suggested this here #2398 (comment) :) |
|
Quoting myself on SHA-1:
|
|
Fair point @randomstuff PS: WebAuthN and FIDO2 use HMAC-256/512. But I am more concerned about new web and API development not standards and protocol developement. Dev's are not likely at all to to build their own TOTP solution from scratch in web development. So if I was to release a secure coding standard for Web devs that will likely be around for 3-5 years like the last version of ASVS, I'd suggest eliminating all SHA1 for future proofing. ASVS 5 will likely be around as NIST starts to deprecate even HMAC-SHA1 in a few years. |
|
@jmanico, Yes. My TOTP/HOTP comment maye be seen as an argument for mentioning HMAC-SHA-1 as allowed for "legacy"/compatibility. |
This is how I've written cryptography standards before, and it's painfully necessary. 😅 |
|
Thank you @unprovable and @randomstuff I saw a recent PR dropping HMAC-SHA1. Are we all in agreement and can we close this out? |
|
This snippet is still there event if HMAC-SHA-1 is not listed as allowed:
I'll remove this. Moreover something should be done along in the allowed/disallowed/legacy direction but that can be done as part of #2398 |
|
Hi @randomstuff, is there anything else to do for this issue after merging PR #2561? |
|
@tghosth, if we follow the route of having approved/legacy/disapproved levels, we should add SHA-1 back "as legacy with restrictions". |
|
Yes OK! |
According to #2500 (comment), shall we disallow any usage of SHA-1?
Related:
@unprovable
The text was updated successfully, but these errors were encountered: