[Ur] Thoughts on cryptographic hashing for Ur/Web standard library?

Adam Chlipala adamc at csail.mit.edu
Fri May 25 14:58:47 EDT 2018


That sounds like a pretty credible plan!  If no one objects by, say, the 
end this coming Monday, I will feel free to remove 'crypt' from the 
standard library, counting on others to figure out the right way to 
materialize a more comprehensive freestanding library.

On 05/23/2018 12:22 PM, Benjamin Barenblat wrote:
> On Saturday, May 19, 2018, at 3:52 pm -0400, Adam Chlipala wrote:
>> It has been pointed out <https://github.com/urweb/urweb/pull/114> that
>> Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
>> standards.  I can think of a few potential courses of action:
>>
>> [...]
>>
>>   2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
>>      which is already linked with all Ur/Web apps.
>>   3. Realize that literally no one is using this function and just delete
>>      it from the standard library.  (A less severe version is to ask a
>>      small but nonzero-size user community to switch to using separate
>>      libraries for this functionality.)
> I think we should pursue both of these: Remove crypt from the standard
> library, and replace its functionality with external libraries that
> depend on OpenSSL.
>
> I wrote bindings for the OpenSSL MD5, SHA-1, and SHA-2 APIs a while
> back [1]. They're Apache-licensed. I'd love to see them get wider
> use, and I'd welcome patches to add additional hash functions. I've also
> written a bcrypt wrapper [2], so you've got two options if you want to
> use bcrypt (the other being [3]). I AGPL-licensed my bcrypt wrapper, but
> I'd be happy to relicense to Apache.
>
> There may also be room for a general-purpose OpenSSL library for
> Ur/Web. Such a library would bring the useful parts of the OpenSSL API
> (data hashing, HMACs, password hashing, AES, ChaCha20/Poly1305, etc.) to
> all Ur/Web applications and would effectively supersede [1]. I've been
> working on something similar for Haskell [4], which could be a useful
> model.
>
>
> [1] https://benjamin.barenblat.name/git/urweb-crypto-hash-openssl.git
>      https://github.com/bbarenblat/urweb-crypto-hash-openssl
>
> [2] https://benjamin.barenblat.name/git/urweb_bcrypt.git
>      https://github.com/bbarenblat/urweb_bcrypt
>
> [3] https://github.com/steinuil/urweb-bcrypt
>
> [4] https://github.com/google/btls
>
> _______________________________________________
> Ur mailing list
> Ur at impredicative.com
> http://www.impredicative.com/cgi-bin/mailman/listinfo/ur




More information about the Ur mailing list