MD5 to SHA1 #14
Labels
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: library-mirrors/gamejoltlua#14
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
SHA-1 should be better then MD5 encryption, would prevent to use md5 change it to SHA-1
https://github.com/kikito/sha1.lua
Does gamejolt allow you to choose the hash algorithm?
If yes, I would suggest defaulting to SHA1, and allowing a developer to override and use MD5 instead. Some SHA1 implementations require JIT to be performant, so they may desire to use MD5 instead.
Pump this string through either MD5 or SHA-1 and you have successfully generated a signature.
http://gamejolt.com/api/doc/game
Do I would suggest SHA-1
Well I'm against it. First I don't think anyone would try to brute force find the key of your game and if they are they may as well look at your lua code (which must be readable by the interpreter so ofuscation or compilation cant really hide it) and search for your key which needs to be in there or downloaded from somewhere.
Second SHA-1 runs way slower than MD5 in Lua. If you are making multiple transactions you Will feel the slowdown, and un a game that is not really nice
Third replacing MD5 with SHA-1 is pretty darn easy so making MD5 the default and allowing the user to change it is far better than exposing SHA as the default and letting the user use MD5 (because of performance)
@Positive07 what if the private key is unique for each client?
Regardless, for the most part, I agree. At this point though it's @Extreemhost's prerogative for the most part. Some guidance on what to swap out might make it easier though.
If someone does swap out MD5 for SHA-1, it'd be nice if they could drop a patch here anyway, just in case someone with authority has an opinion, I wouldn't want to see work go to waste. In some cases speed does matter, but in some cases it doesn't.
The key is one, the one gamejolt gives you and is unique for each game. Even if it was unique to each client you would still need to store it or download it from somewhere, meaning that the user could still find it somewhere on his RAM or in some source file. And later then use it himself since there is no waterproof way to check that the right client is sending that key. The biggest lack of security is the Lua source itself (but even in C or ASM there is no easy way yo easily get around either), there is other problem and that is GameJolts one, unique keys are not really safe. And as you may know, all security has a hole. Not using SSL connection is another sequrity issue but well...
To make this simpler, SHA-1 helps little to nothing with security and makes the code slower (even in JIT)
I would like to make a patch to make swapping easier (dropping sha.lua in the librarys folder and changing a variable). Maybe tomorrow or tuesday night. But I wont maintin a SHA-1 fork since I dont really think it is that useful
In another note @kikito sha1.lua library is written in pure Lua,and still doesnt support the built in bit libraries so JIT compilation is not that nice and is orders of magnitudes slower compares to md5.lua which uses the default bit libraries when available. (Even comparing md5.lua with BitOps against md5.lua with out them the BitOps versión is 400% faster so compared to sha1.lua I guess it would be like 1000% faster)