[issue15061] hmac.secure_compare() leaks information about length of strings
Hynek Schlawack
report at bugs.python.org
Sat Jun 23 17:35:10 CEST 2012
Hynek Schlawack <hs at ox.cx> added the comment:
> For 3.4, I hope to see a discussion open up regarding the idea of something like a "securitytools" module that aims to provide some basic primitives for operations where Python's standard assumptions (such as flexibility and short circuiting behaviour) are a bad fit for security reasons. That would include exposing a C level full_compare option, as well as the core pbkdf2 algorithm.
Strong +1 on that one. We could even consider adding bcrypt and scrypt as C isn't really an issue for us.
Ideally we'd add a module with docs which both promote and leverage secure behavior. Basically how to realize http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html in Python.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________
More information about the Python-bugs-list
mailing list