[Ur] Thoughts on cryptographic hashing for Ur/Web standard library?
Benjamin Barenblat
benjamin at barenblat.name
Wed May 23 12:22:54 EDT 2018
On Saturday, May 19, 2018, at 3:52 pm -0400, Adam Chlipala wrote:
> It has been pointed out <https://github.com/urweb/urweb/pull/114> that
> Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
> standards. I can think of a few potential courses of action:
>
> [...]
>
> 2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
> which is already linked with all Ur/Web apps.
> 3. Realize that literally no one is using this function and just delete
> it from the standard library. (A less severe version is to ask a
> small but nonzero-size user community to switch to using separate
> libraries for this functionality.)
I think we should pursue both of these: Remove crypt from the standard
library, and replace its functionality with external libraries that
depend on OpenSSL.
I wrote bindings for the OpenSSL MD5, SHA-1, and SHA-2 APIs a while
back [1]. They're Apache-licensed. I'd love to see them get wider
use, and I'd welcome patches to add additional hash functions. I've also
written a bcrypt wrapper [2], so you've got two options if you want to
use bcrypt (the other being [3]). I AGPL-licensed my bcrypt wrapper, but
I'd be happy to relicense to Apache.
There may also be room for a general-purpose OpenSSL library for
Ur/Web. Such a library would bring the useful parts of the OpenSSL API
(data hashing, HMACs, password hashing, AES, ChaCha20/Poly1305, etc.) to
all Ur/Web applications and would effectively supersede [1]. I've been
working on something similar for Haskell [4], which could be a useful
model.
[1] https://benjamin.barenblat.name/git/urweb-crypto-hash-openssl.git
https://github.com/bbarenblat/urweb-crypto-hash-openssl
[2] https://benjamin.barenblat.name/git/urweb_bcrypt.git
https://github.com/bbarenblat/urweb_bcrypt
[3] https://github.com/steinuil/urweb-bcrypt
[4] https://github.com/google/btls
More information about the Ur
mailing list