To be fair to the Vigenère cipher algorithm, it is insanely simple; I think when I wrote the implementation in that pull request, I was probably inappropriately using lambdas and generator expressions, and in doing so making it look more complicated than it really is.
A neater, more readable Vigenère cipher (that is still logically equivalent to the first one) might look like this: https://gist.github.com/adambrenecki/3b4d75ba039e6e455f7c . On 7 March 2015 at 23:31, Erik Romijn <[email protected]> wrote: > Hello, > > In the context of a one time pad on the CSRF token, I don’t see a security > advantage to either cipher here. If I read correctly, the argument for > Vignere is that it can already produce output suitable for inclusion in > form values, not requiring base64 encoding of the one time pad. > > I’ve looked up the current implementations that have been contributed: > Here’s the XOR+base64 implementation: > > https://github.com/django/django/compare/66285eb2a7a6fb3e6ec0eec0bbc15a5e94215872#diff-a3be722ce2831a8d11438021d44cedf1R62 > And the Vignere implementation: > > https://github.com/django/django/pull/1477/files#diff-a3be722ce2831a8d11438021d44cedf1R40 > > Though the Vignere implementation means that base64 is not required and is > significantly shorter, it seems considerably more complex and error prone. > I can’t instantly see whether this implementation is correct. The > XOR+base64 implementation, on the other hand, is straight forward and > obvious. Therefore, if the current implementations are a proper measure for > the complexity of implementing either option, XOR+base64 is my strong > preference. Slightly more work, but substantially simpler, reducing the > risk of overlooked implementation errors. > > Erik > > On 07 Mar 2015, at 13:31, Asif Saifuddin <[email protected]> wrote: > > Hi, > > Just start working on this ticket > https://code.djangoproject.com/ticket/20869 > > wondering what should be the preferred way ? > > using XOR or Vignere Cipher? > > > Reagrds > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/3d23b87e-c153-4035-a838-331d5bc9cd1d%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/3d23b87e-c153-4035-a838-331d5bc9cd1d%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/10CE5813-C1DA-4231-8721-36A2AEEB8748%40solidlinks.nl > <https://groups.google.com/d/msgid/django-developers/10CE5813-C1DA-4231-8721-36A2AEEB8748%40solidlinks.nl?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPkdtoz3%2B7bz6D7PKJu2V_KEOQjR6kuwamPzRmKcvS5oDqiyfQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
