[erlang-questions] Erlang cookies are secure

Per Hedeland per@REDACTED
Sat Jun 11 15:15:32 CEST 2016


Fred Hebert <mononcqc@REDACTED> wrote:
>
>On 06/10, Per Hedeland wrote:
>>I do find it rather tiresome with this constant ridicule of the cookie
>>authentication from people who haven't even bothered to do a basic
>>investigation of how it works, let alone done any actual security
>>analysis.
>>
>
>https://twitter.com/DonAndrewBailey/status/737693679997984770
>https://twitter.com/DonAndrewBailey/status/737693957656698880
>https://twitter.com/DonAndrewBailey/status/737699529701490688
>
>This security researcher appears to have found issues with it as 
>recently as the last 30 days.

He claims to have found *bugs*, and reported them to the OTP team -
great! However it's not like the existence of bugs in software is
something unique to the OTP implementation of the cookie-based
authentication scheme (or wherever the bugs are). And I have never seen
(I may of course have missed it) the argument "because it has bugs"
being brought forward by those who claim "the cookie authentication
isn't secure" on this mailing list. In fact there typically isn't any
"because" at all.

As for actual analysis of the mechanism as such, the only thing I can
find is the statement "cookie key space by default is 26^20" - given as
a good property, but it certainly makes me wonder about the depth of
such an analysis, if it has indeed been undertaken (I see no claim that
it has). The cookie is an arbitrary atom, and thus the value space is
larger than 256^255 ((1 - 256^256)/(1 - 256) to be precise, or just a
few bits short of 2048) - period.

I guess his "default" refers to the cookie that is auto-generated if you
don't provide one - I'm not sure why you would want to make use of that
if you are attempting to set up a "secure" network of Erlang nodes.
Besides the fact that you need to additionally figure out the value
space of that generation, and analyze the actual mechanism used (maybe
it's even bad old random(3):-), it seems pretty impractical compared to
pre-generating the cookies yourself.

--Per



More information about the erlang-questions mailing list