rfc:hash-functions-empty-key-warning

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
rfc:hash-functions-empty-key-warning [2016/04/21 00:01] – created sammykrfc:hash-functions-empty-key-warning [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 10: Line 10:
  
 ===== Proposal ===== ===== Proposal =====
-It's not uncommon to accidentally hash data with a null or empty key. Doing this has security implications that currently happen quietly in the background since [[https://3v4l.org/AF998|PHP has no issue hashing data with an empty key]]. To bring the security issue to the attention of the user, a warning should be raised if the key is empty.+It's not uncommon to accidentally hash data with an empty or [[http://www.cryptofails.com/post/70059595978/myself-using-the-same-key-to-encrypt-everything|non-string]] key. Doing this [[http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/key_management_empty_hmac_key.html|has security implications]] that currently happen quietly in the background since [[https://3v4l.org/AF998|PHP has no issue hashing data with an empty key]]. To bring the security issue to the attention of the user, a warning should be raised if the key is empty.
  
 Ideally this would throw a fatal error, but as [[https://twitter.com/ezimuel/status/721006534847832064|Enrico Zimuel pointed out]], it's not technically an error. Ideally this would throw a fatal error, but as [[https://twitter.com/ezimuel/status/721006534847832064|Enrico Zimuel pointed out]], it's not technically an error.
Line 21: Line 21:
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
-The patch is very light weight - most of it is just the tests.+[[https://github.com/php/php-src/compare/master...SammyK:hash-hmac-warning?expand=1|The patch is very light weight]] - most of it is just the tests.
rfc/hash-functions-empty-key-warning.1461196890.txt.gz · Last modified: 2017/09/22 13:28 (external edit)

Page Tools