library-mirrors/gamejoltlua
Archived
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases Wiki Activity

MD5 to SHA1 #14

New Issue
Open
opened 2016-05-08 17:54:51 +00:00 by ghost · 6 comments
ghost commented 2016-05-08 17:54:51 +00:00 (Migrated from github.com)
Copy Link

SHA-1 should be better then MD5 encryption, would prevent to use md5 change it to SHA-1

https://github.com/kikito/sha1.lua

SHA-1 should be better then MD5 encryption, would prevent to use md5 change it to SHA-1 https://github.com/kikito/sha1.lua
josefnpat commented 2016-05-08 21:21:43 +00:00 (Migrated from github.com)
Copy Link

Does gamejolt allow you to choose the hash algorithm?

If yes, I would suggest defaulting to SHA1, and allowing a developer to override and use MD5 instead. Some SHA1 implementations require JIT to be performant, so they may desire to use MD5 instead.

Does gamejolt allow you to choose the hash algorithm? If yes, I would suggest defaulting to SHA1, and allowing a developer to override and use MD5 instead. Some SHA1 implementations require JIT to be performant, so they may desire to use MD5 instead.
ghost commented 2016-05-08 23:11:43 +00:00 (Migrated from github.com)
Copy Link

Pump this string through either MD5 or SHA-1 and you have successfully generated a signature.
http://gamejolt.com/api/doc/game

Do I would suggest SHA-1

Pump this string through either MD5 or SHA-1 and you have successfully generated a signature. http://gamejolt.com/api/doc/game Do I would suggest SHA-1
pablomayobre commented 2016-05-08 23:49:20 +00:00 (Migrated from github.com)
Copy Link

Well I'm against it. First I don't think anyone would try to brute force find the key of your game and if they are they may as well look at your lua code (which must be readable by the interpreter so ofuscation or compilation cant really hide it) and search for your key which needs to be in there or downloaded from somewhere.

Second SHA-1 runs way slower than MD5 in Lua. If you are making multiple transactions you Will feel the slowdown, and un a game that is not really nice

Third replacing MD5 with SHA-1 is pretty darn easy so making MD5 the default and allowing the user to change it is far better than exposing SHA as the default and letting the user use MD5 (because of performance)

Well I'm against it. First I don't think anyone would try to brute force find the key of your game and if they are they may as well look at your lua code (which must be readable by the interpreter so ofuscation or compilation cant really hide it) and search for your key which needs to be in there or downloaded from somewhere. Second SHA-1 runs way slower than MD5 in Lua. If you are making multiple transactions you Will feel the slowdown, and un a game that is not really nice Third replacing MD5 with SHA-1 is pretty darn easy so making MD5 the default and allowing the user to change it is far better than exposing SHA as the default and letting the user use MD5 (because of performance)
josefnpat commented 2016-05-09 03:26:27 +00:00 (Migrated from github.com)
Copy Link

@Positive07 what if the private key is unique for each client?

Regardless, for the most part, I agree. At this point though it's @Extreemhost's prerogative for the most part. Some guidance on what to swap out might make it easier though.

If someone does swap out MD5 for SHA-1, it'd be nice if they could drop a patch here anyway, just in case someone with authority has an opinion, I wouldn't want to see work go to waste. In some cases speed does matter, but in some cases it doesn't.

@Positive07 what if the private key is unique for each client? Regardless, for the most part, I agree. At this point though it's @Extreemhost's prerogative for the most part. Some guidance on what to swap out might make it easier though. If someone does swap out MD5 for SHA-1, it'd be nice if they could drop a patch here anyway, just in case someone with authority has an opinion, I wouldn't want to see work go to waste. In some cases speed does matter, but in some cases it doesn't.
pablomayobre commented 2016-05-09 03:36:23 +00:00 (Migrated from github.com)
Copy Link

The key is one, the one gamejolt gives you and is unique for each game. Even if it was unique to each client you would still need to store it or download it from somewhere, meaning that the user could still find it somewhere on his RAM or in some source file. And later then use it himself since there is no waterproof way to check that the right client is sending that key. The biggest lack of security is the Lua source itself (but even in C or ASM there is no easy way yo easily get around either), there is other problem and that is GameJolts one, unique keys are not really safe. And as you may know, all security has a hole. Not using SSL connection is another sequrity issue but well...

To make this simpler, SHA-1 helps little to nothing with security and makes the code slower (even in JIT)

I would like to make a patch to make swapping easier (dropping sha.lua in the librarys folder and changing a variable). Maybe tomorrow or tuesday night. But I wont maintin a SHA-1 fork since I dont really think it is that useful

The key is one, the one gamejolt gives you and is unique for each game. Even if it was unique to each client you would still need to store it or download it from somewhere, meaning that the user could still find it somewhere on his RAM or in some source file. And later then use it himself since there is no waterproof way to check that the right client is sending that key. The biggest lack of security is the Lua source itself (but even in C or ASM there is no easy way yo easily get around either), there is other problem and that is GameJolts one, unique keys are not really safe. And as you may know, all security has a hole. Not using SSL connection is another sequrity issue but well... To make this simpler, SHA-1 helps little to nothing with security and makes the code slower (even in JIT) I would like to make a patch to make swapping easier (dropping sha.lua in the librarys folder and changing a variable). Maybe tomorrow or tuesday night. But I wont maintin a SHA-1 fork since I dont really think it is that useful
pablomayobre commented 2016-05-09 03:52:12 +00:00 (Migrated from github.com)
Copy Link

In another note @kikito sha1.lua library is written in pure Lua,and still doesnt support the built in bit libraries so JIT compilation is not that nice and is orders of magnitudes slower compares to md5.lua which uses the default bit libraries when available. (Even comparing md5.lua with BitOps against md5.lua with out them the BitOps versión is 400% faster so compared to sha1.lua I guess it would be like 1000% faster)

In another note @kikito sha1.lua library is written in pure Lua,and still doesnt support the built in bit libraries so JIT compilation is not that nice and is orders of magnitudes slower compares to md5.lua which uses the default bit libraries when available. (Even comparing md5.lua with BitOps against md5.lua with out them the BitOps versión is 400% faster so compared to sha1.lua I guess it would be like 1000% faster)
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

   
duplicate

   
enhancement

   
help wanted

   
invalid

   
question

   
wontfix
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: library-mirrors/gamejoltlua#14
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?