[reportlab-users] UC fips compliant

Claude Paroz claude at 2xlibre.net
Tue Sep 21 12:34:09 EDT 2021


Le 21.09.21 à 18:13, Tim Roberts a écrit :
> Satchell Julian via reportlab-users wrote:
>>
>>
>> SHA-1 is no longer recommended, as collision attacks on it are well 
>> known. Minimum is something in the SHA2 family, depending on strength 
>> / length requirement.
>>
> Well, you have to balance the cost against the risk.  With one 
> exception, MD5 is not used in a security context within ReportLab.  It's 
> just a hash algorithm.  There is no "attack vector", and there are no 
> secrets being protected.  For those uses, even SHA1 is overkill, and 
> SHA2 is vast overkill.

Also note the new usedforsecurity argument added in Python 3.9:
https://docs.python.org/3/library/hashlib.html#hashlib-usedforsecurity

That could help for FIPS compliance. See also the ticket and patch 
discussing the same topic for Django:

https://code.djangoproject.com/ticket/28401
https://github.com/django/django/pull/14763/

Claude



More information about the reportlab-users mailing list