[erlang-questions] Secure Tokens

Lee Sylvester <>
Tue Apr 2 08:00:06 CEST 2013


Thanks for the heads up, Bob. Luckily, I simply need to mimick Fernet while my portal interface is being built; then I can scrap my tokening altogether. However, I'll take your points onboard for any production impl.  I'm sure, tho, that your raised points will help improve Termit.

Regards,
Lee

Sent from my iPhone

On 2 Apr 2013, at 06:50, Bob Ippolito <> wrote:

> No reason to celebrate just yet, termit has a broken cryptosystem. Here's two things I noticed after a quick glance:
> 
> * The IV is derived from the secret key. The IV must be unpredictable at encryption time in CBC mode. This is VERY VERY bad.
> * Verification of the signature isn't constant-time, so it's susceptible to timing attacks. This is still bad, but probably harder to exploit.
> 
> It would be unwise to use this implementation. I don't claim that the mochiweb code is perfect, and I'm not a cryptograph expert, but I have audited it and I didn't find any obvious flaws (other than the timing attack that I fixed).
> 
> 
> On Mon, Apr 1, 2013 at 10:37 PM, Lee Sylvester <> wrote:
>> Wow, a fernet like impl for Erlang!!! Perfect!!!  Thank you very much. This will make my life so much easier :-)
>> 
>> Regards,
>> Lee
>> 
>> 
>> 
>> On 2 Apr 2013, at 06:09, Vladimir Dronnikov <> wrote:
>> 
>>> I drive https://github.com/dvv/termit for this. Feel free to feedback/blame :)
>>> 
>>> 
>>> On Tue, Apr 2, 2013 at 12:15 AM, Bob Ippolito <> wrote:
>>>> There's something similar to your requirements in here:
>>>> https://github.com/mochi/mochiweb/blob/master/src/mochiweb_session.erl
>>>> 
>>>> 
>>>> On Mon, Apr 1, 2013 at 1:05 PM, Lee Sylvester <> wrote:
>>>>> Hey guys,
>>>>> 
>>>>> So, I'd like to create secure tokens in Erlang.  This can either be a simple UUID generator which I then store with user credentials or a way to encode a string, such as JSON, as an encrypted token.  In Golang, I would do this with fernet, but I need an Erlang solution :-)
>>>>> 
>>>>> I know Erlang isn't best used for such tasks, but does anyone out there know of something usable for this purpose?
>>>>> 
>>>>> Thanks loads,
>>>>> Lee
>>>>> _______________________________________________
>>>>> erlang-questions mailing list
>>>>> 
>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>> 
>>>> 
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> 
>>>> http://erlang.org/mailman/listinfo/erlang-questions
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130402/ba85f56f/attachment.html>


More information about the erlang-questions mailing list