[erlang-questions] Secure Tokens
Tue Apr 2 07:50:29 CEST 2013
No reason to celebrate just yet, termit has a broken cryptosystem. Here's
two things I noticed after a quick glance:
* The IV is derived from the secret key. The IV must be unpredictable at
encryption time in CBC mode. This is VERY VERY bad.
* Verification of the signature isn't constant-time, so it's susceptible to
timing attacks. This is still bad, but probably harder to exploit.
It would be unwise to use this implementation. I don't claim that the
mochiweb code is perfect, and I'm not a cryptograph expert, but I have
audited it and I didn't find any obvious flaws (other than the timing
attack that I fixed).
On Mon, Apr 1, 2013 at 10:37 PM, Lee Sylvester <lee.sylvester@REDACTED>wrote:
> Wow, a fernet like impl for Erlang!!! Perfect!!! Thank you very much.
> This will make my life so much easier :-)
> On 2 Apr 2013, at 06:09, Vladimir Dronnikov <dronnikov@REDACTED> wrote:
> I drive https://github.com/dvv/termit for this. Feel free to
> feedback/blame :)
> On Tue, Apr 2, 2013 at 12:15 AM, Bob Ippolito <bob@REDACTED> wrote:
>> There's something similar to your requirements in here:
>> On Mon, Apr 1, 2013 at 1:05 PM, Lee Sylvester <lee.sylvester@REDACTED>wrote:
>>> Hey guys,
>>> So, I'd like to create secure tokens in Erlang. This can either be a
>>> simple UUID generator which I then store with user credentials or a way to
>>> encode a string, such as JSON, as an encrypted token. In Golang, I would
>>> do this with fernet, but I need an Erlang solution :-)
>>> I know Erlang isn't best used for such tasks, but does anyone out there
>>> know of something usable for this purpose?
>>> Thanks loads,
>>> erlang-questions mailing list
>> erlang-questions mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions