[erlang-questions] Erlang cookies are secure

Fred Hebert mononcqc@REDACTED
Sat Jun 11 15:32:22 CEST 2016


On 06/11, Per Hedeland wrote:
>As for actual analysis of the mechanism as such, the only thing I can
>find is the statement "cookie key space by default is 26^20" - given as
>a good property, but it certainly makes me wonder about the depth of
>such an analysis, if it has indeed been undertaken (I see no claim that
>it has). The cookie is an arbitrary atom, and thus the value space is
>larger than 256^255 ((1 - 256^256)/(1 - 256) to be precise, or just a
>few bits short of 2048) - period.

The space is likely smaller since you're going for an MD5 challenge and 
only have to generate a conflicting MD5, not the actual cookie I 
believe?

The challenge itself uses the cookie and then 'salts' it with the result 
of this function: 
https://github.com/erlang/otp/blob/e1489c448b7486cdcfec6a89fea238d88e6ce2f3/lib/kernel/src/dist_util.erl#L376-L388
which has no great source of randomness, especially on mostly idle nodes 
I'd guess.



More information about the erlang-questions mailing list