rfc:hash-functions-empty-key-warning

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:hash-functions-empty-key-warning [2016/04/21 00:02] – Add link to patch sammykrfc:hash-functions-empty-key-warning [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 10: Line 10:
  
 ===== Proposal ===== ===== Proposal =====
-It's not uncommon to accidentally hash data with a null or empty key. Doing this has security implications that currently happen quietly in the background since [[https://3v4l.org/AF998|PHP has no issue hashing data with an empty key]]. To bring the security issue to the attention of the user, a warning should be raised if the key is empty.+It's not uncommon to accidentally hash data with an empty or [[http://www.cryptofails.com/post/70059595978/myself-using-the-same-key-to-encrypt-everything|non-string]] key. Doing this [[http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/key_management_empty_hmac_key.html|has security implications]] that currently happen quietly in the background since [[https://3v4l.org/AF998|PHP has no issue hashing data with an empty key]]. To bring the security issue to the attention of the user, a warning should be raised if the key is empty.
  
 Ideally this would throw a fatal error, but as [[https://twitter.com/ezimuel/status/721006534847832064|Enrico Zimuel pointed out]], it's not technically an error. Ideally this would throw a fatal error, but as [[https://twitter.com/ezimuel/status/721006534847832064|Enrico Zimuel pointed out]], it's not technically an error.
rfc/hash-functions-empty-key-warning.1461196970.txt.gz · Last modified: 2017/09/22 13:28 (external edit)

Page Tools