BBAuth and HMACs

Thursday

05Oct2006

Thursday, October 5, 2006 at 02:24AM

I’ve written before about Yahoo!’s BBAuth. Looking closer at it I’m curious why it’s using pseudo HMACs with MD5 for authentication.

RFC 2104 describes the constraints for a true HMAC (key length constraints and use of padding) and I would love to see BBAuth use the same, preferably based on a less vulnerable hashing algorithm than MD5, say SHA-1.

Hans |

2 Comments |

1 Reference |

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Response: efmcbwmhk

at bhchbcsogy on October 21, 2006

hdshvvtm mkucgud cvasqplt zsbvuamicy

Reader Comments (2)

My guess is that it's because there is an md5 function that comes with PHP, but not a sha1 function. I realize that this sounds silly, but it's actually a somewhat elegant way to attract developers.

About the security, my impression of md5 cracks is that they aren't yet up to the job of finding a collision for an arbitrary input. Both members of the pair have to be up to the cracker, meaning that a user who is not the cracker has little to fear.

October 9, 2006 |

Lucas

Lucas, I hear you, but how come then OpenID manages to stipulate HMAC-SHA1? There are libraries for PHP, Perl, etc. available, so algorithmic availability seems not to be a concern.

October 10, 2006 |

Hans

Post a New Comment

Enter your information below to add a new comment.

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

All HTML will be escaped. Hyperlinks will be created for URLs automatically.