Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace MD5 with SHA-256 in hasher function for improved security #109

Open
kexinoh opened this issue Dec 13, 2024 · 0 comments
Open

Replace MD5 with SHA-256 in hasher function for improved security #109

kexinoh opened this issue Dec 13, 2024 · 0 comments

Comments

@kexinoh
Copy link

kexinoh commented Dec 13, 2024

Issue Description:

The hasher function in tf_quant_finance/experimental/pricing_platform/framework/utils.py currently uses the MD5 hash algorithm, which is considered insecure for cryptographic purposes due to its vulnerability to collision attacks. While the function is described as returning a "non-cryptographic hash," it would be prudent to replace MD5 with a more secure hash function like SHA-256 to future-proof the code and align with best practices.

Current Code:

def hasher(obj):
  """Returns non-cryptographic hash of a JSON-serializable object."""
  h = hashlib.md5(json.dumps(obj).encode())
  return h.hexdigest()

Proposed Change:
Replace hashlib.md5 with hashlib.sha256.

Proposed Code:

def hasher(obj):
  """Returns non-cryptographic hash of a JSON-serializable object."""
  h = hashlib.sha256(json.dumps(obj).encode())
  return h.hexdigest()

Location:
utils.py#L20

Justification:

  • SHA-256 is more secure and widely accepted for hashing purposes.
  • This change would improve the robustness of the code without significantly impacting performance.

Additional Context:

  • MD5 is still used in non-cryptographic contexts, but SHA-256 is a better choice for future-proofing and maintaining a higher security standard.

Conclusion:
Please consider updating the hasher function to use SHA-256 instead of MD5.

Thank you for your attention to this matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant