On Wed, 2010-10-13 at 09:44 +0100, Luke Plant wrote:
> You're right. I've posted a question here:
>
> http://cstheory.stackexchange.com/questions/2159/creating-hmac-keys-using-a-fixed-prefix-and-a-random-string
OK, we got some answers, from the theoretical angle at least. But it
leaves me in th
On Wed, 2010-10-13 at 15:59 +1300, Nick Phillips wrote:
> > Since we are effectively using
> > SHA1(different_fixed_string_for_each_application + SECRET_KEY) as the
> > key, it isn't obvious to me that using
> > SHA1(entirely_different_random_string_for_each_application) is really
> > any differen
On Tue, 2010-10-12 at 12:03 +0100, Luke Plant wrote:
> The fixed strings are used to make the keys unique per application - see
> below for what the keys are like that actually end up being used.
I realise that, I just couldn't remember exactly why that was
necessary... but you answered that belo
On Mon, Oct 11, 2010 at 7:27 PM, Nick Phillips wrote:
> First of all I should say that I'm no crypto expert, but I'm worried
> about the key. Inclusion of fixed strings in a key for this type of use
> rings alarm bells, as does the use of an ASCII key (albeit 50 chars
> rather than the 20 recommen
On Tue, 2010-10-12 at 15:27 +1300, Nick Phillips wrote:
> First of all I should say that I'm no crypto expert, but I'm worried
> about the key. Inclusion of fixed strings in a key for this type of use
> rings alarm bells, as does the use of an ASCII key (albeit 50 chars
> rather than the 20 recomm
On Mon, 2010-10-11 at 23:38 +0100, Luke Plant wrote:
> Hi all
>
> For a while this has been on my TODO list, but I've finally got round to
> it:
>
> * Use HMAC where appropriate in Django
> * Fix timing based attacks.
Cool. I'd been wondering about this for a while.
> - is the new method (using
Hi all
For a while this has been on my TODO list, but I've finally got round to
it:
* Use HMAC where appropriate in Django
* Fix timing based attacks.
http://code.djangoproject.com/ticket/14445
The only difficulty is with the first due to backwards compatibility -
the tokens/hashes generated by
