[erlang-questions] Secure Tokens

Lee Sylvester <>
Tue Apr 2 08:01:57 CEST 2013


Hi Vladimir,

I'd certainly help if I can. I'm no expert, either, but I find offloading handling of token decryption to be useful, especially across unlinked nodes. So, I'm sure others will see the usefulness of this.

Best,
Lee

Sent from my iPhone

On 2 Apr 2013, at 06:58, Vladimir Dronnikov <> wrote:

> Hi, Bob!
> Thank you for feedback. Am not an expert in crypto domain, so I wonder if you could help me amend termit' cryptosystem.
> TIA,
> --Vladimir
> 
> 
> On Tue, Apr 2, 2013 at 9:50 AM, Bob Ippolito <> wrote:
>> No reason to celebrate just yet, termit has a broken cryptosystem. Here's two things I noticed after a quick glance:
>> 
>> * The IV is derived from the secret key. The IV must be unpredictable at encryption time in CBC mode. This is VERY VERY bad.
>> * Verification of the signature isn't constant-time, so it's susceptible to timing attacks. This is still bad, but probably harder to exploit.
>> 
>> It would be unwise to use this implementation. I don't claim that the mochiweb code is perfect, and I'm not a cryptograph expert, but I have audited it and I didn't find any obvious flaws (other than the timing attack that I fixed).
>> 
>> 
>> On Mon, Apr 1, 2013 at 10:37 PM, Lee Sylvester <> wrote:
>>> Wow, a fernet like impl for Erlang!!! Perfect!!!  Thank you very much. This will make my life so much easier :-)
>>> 
>>> Regards,
>>> Lee
>>> 
>>> 
>>> 
>>> On 2 Apr 2013, at 06:09, Vladimir Dronnikov <> wrote:
>>> 
>>>> I drive https://github.com/dvv/termit for this. Feel free to feedback/blame :)
>>>> 
>>>> 
>>>> On Tue, Apr 2, 2013 at 12:15 AM, Bob Ippolito <> wrote:
>>>>> There's something similar to your requirements in here:
>>>>> https://github.com/mochi/mochiweb/blob/master/src/mochiweb_session.erl
>>>>> 
>>>>> 
>>>>> On Mon, Apr 1, 2013 at 1:05 PM, Lee Sylvester <> wrote:
>>>>>> Hey guys,
>>>>>> 
>>>>>> So, I'd like to create secure tokens in Erlang.  This can either be a simple UUID generator which I then store with user credentials or a way to encode a string, such as JSON, as an encrypted token.  In Golang, I would do this with fernet, but I need an Erlang solution :-)
>>>>>> 
>>>>>> I know Erlang isn't best used for such tasks, but does anyone out there know of something usable for this purpose?
>>>>>> 
>>>>>> Thanks loads,
>>>>>> Lee
>>>>>> _______________________________________________
>>>>>> erlang-questions mailing list
>>>>>> 
>>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> erlang-questions mailing list
>>>>> 
>>>>> http://erlang.org/mailman/listinfo/erlang-questions
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130402/fc00d4b0/attachment.html>


More information about the erlang-questions mailing list