[erlang-questions] Secure Tokens

Vladimir Dronnikov dronnikov@REDACTED
Tue Apr 2 07:58:51 CEST 2013 

Hi, Bob!
Thank you for feedback. Am not an expert in crypto domain, so I wonder if
you could help me amend termit' cryptosystem.
TIA,
--Vladimir


On Tue, Apr 2, 2013 at 9:50 AM, Bob Ippolito <bob@REDACTED> wrote:

> No reason to celebrate just yet, termit has a broken cryptosystem. Here's
> two things I noticed after a quick glance:
>
> * The IV is derived from the secret key. The IV must be unpredictable at
> encryption time in CBC mode. This is VERY VERY bad.
> * Verification of the signature isn't constant-time, so it's susceptible
> to timing attacks. This is still bad, but probably harder to exploit.
>
> It would be unwise to use this implementation. I don't claim that the
> mochiweb code is perfect, and I'm not a cryptograph expert, but I have
> audited it and I didn't find any obvious flaws (other than the timing
> attack that I fixed).
>
>
> On Mon, Apr 1, 2013 at 10:37 PM, Lee Sylvester <lee.sylvester@REDACTED>wrote:
>
>> Wow, a fernet like impl for Erlang!!! Perfect!!!  Thank you very much.
>> This will make my life so much easier :-)
>>
>> Regards,
>> Lee
>>
>>
>>
>> On 2 Apr 2013, at 06:09, Vladimir Dronnikov <dronnikov@REDACTED> wrote:
>>
>> I drive https://github.com/dvv/termit for this. Feel free to
>> feedback/blame :)
>>
>>
>>  On Tue, Apr 2, 2013 at 12:15 AM, Bob Ippolito <bob@REDACTED> wrote:
>>
>>> There's something similar to your requirements in here:
>>> https://github.com/mochi/mochiweb/blob/master/src/mochiweb_session.erl
>>>
>>>
>>> On Mon, Apr 1, 2013 at 1:05 PM, Lee Sylvester <lee.sylvester@REDACTED>wrote:
>>>
>>>> Hey guys,
>>>>
>>>> So, I'd like to create secure tokens in Erlang.  This can either be a
>>>> simple UUID generator which I then store with user credentials or a way to
>>>> encode a string, such as JSON, as an encrypted token.  In Golang, I would
>>>> do this with fernet, but I need an Erlang solution :-)
>>>>
>>>> I know Erlang isn't best used for such tasks, but does anyone out there
>>>> know of something usable for this purpose?
>>>>
>>>> Thanks loads,
>>>> Lee
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130402/06b04a6f/attachment.htm>

More information about the erlang-questions mailing list