At 1:53 PM +0800 9/4/02, Ng Pheng Siong wrote: > I'm building a web app which... constructs URLs on the fly. ... > I'm creating the capability thusly: > cap = hmac-sha1(key, "/object?action=something&expiry=timeval") > My questions: ... > 2. The key is created from /dev/random. How long should it > be? In my threat model, the key changes every few hours. > > 3. Any other thoughts?
use /dev/urandom (the psudorandomly-amplified version of /dev/random), and you can change the key more frequently, without emptying /dev/random's entropy buffer. unless i'm missing something, /dev/urandom is secure enough for your application. - don davis, boston - --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]