search

pyca / cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
https://cryptography.io
Other
6.64k stars 1.52k forks source link

Support for MD4 Hashing #2948

Closed ianclegg closed 8 years ago

ianclegg commented 8 years ago

First off, this is a great project the objective is very sound - for future projects it'll be top of my list.

Down to business - I maintain ntlmlib, a Windows NTLM authentication implementation which relies pycrypto - I would like to switch to cryptography but it lacks MD4. Both OpenSSL and Common Cryptography offer implementations, is there any appetite to surface these via cryptography? I think we all know MD4 is not suitable for new projects, but many existing and legacy protocols still require it. I'm thinking Microsofts NTLM, MSCHAPv2, PPP, older versions of rsync. You'd have another happy customer.

I can put a PR together if your interested?

reaperhulk commented 8 years ago

You can get md4 out of hashlib from the standard library. Is there some reason you think this needs to be exposed in cryptography itself?

ianclegg commented 8 years ago

Well the goal on cryptography homepage was to become a 'cryptographic standard library' - so I guess its a matter of completeness - the hashlib standard library also offers MD5 and a fair number of SHA implementations, but cryptography still exposes the them from its backends. I think the patch would be fairly trivial + a few tests + some doco updates? Not a deal breaker if your not interested

alex commented 8 years ago

Given the incredible age of MD4, and it's known insecurity, plus the fact that the actual standard library has it, we're not going to expose it. Standard libraries shouldn't be death balls of pointy spikes which hurt you.

ianclegg commented 8 years ago

To be fair all that applies to MD5 too - but I like a decisive answer

alex commented 8 years ago

MD5 is slightly less broken, and much more widely used. I'd love to delete it eventually.

On Thu, Jun 2, 2016 at 7:22 PM, Ian Clegg notifications@github.com wrote:

To be fair all that applies to MD5 too - but I like a decisive answer

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/2948#issuecomment-223451493, or mute the thread https://github.com/notifications/unsubscribe/AAADBO_eAIs6l1QZc8YGd85csyEKBJyiks5qH2XPgaJpZM4ItAKY .

"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6