Open zenzora opened 9 years ago
Section 3.1 Seems to support this
"It is important to note that at this time, it is not clear that HMAC-SHA-256 with a truncation length of 128 bits is any more secure than HMAC-SHA1 with the same truncation length"
All in all the important issue here is the length of the key. Which in both cases in bound to 2^64
BTW, this really is a great plugin, thanks a bunch for developing it.
I don't believe that the rankings should take points off for a site implementing SHA-1 HMAC as a collision attack isn't really applicable in that situation. Many secure sites, including banks, use SHA-1 HMACs without controversy.