On Tuesday 05 January 2010 16:53:17 Elias Torres wrote: > Simon, > > I'm not a security expert by any means, but I really the fact that > you're making use of HMACs in your design. I will ask a good friend > (Ben Adida) who's really an expert on the subject to see if your > paranoia on adding a salt and hashing the key helps you in any way. > My intuition says if the salt will be stored and made available to > anyone with access to the DB, I'm not sure it will make much of a > difference. HMAC takes care of the prefix/suffix attacks already.
The point of the 'salt' is to make it easy to use unique keys. Otherwise, one use of HMAC with SECRET_KEY in a web app could be trivially used to compromise another usage. For example, suppose that, on a social network, the user can specify the username of someone that they nominate as a 'best friend' . This value might be stored in a signed cookie. If we use SECRET_KEY without salt as the HMAC key, the user then has access to the value HMAC(SECRET_KEY, some_username). But suppose another signed cookie is used to store the username when a user logs in (as opposed to using a session). The value will be HMAC(SECRET_KEY, users_username). Since an attacker can trivially get hold of HMAC(SECRET_KEY, somone_elses_username), they can log in as anyone they like. 'Salt' in the key is to protect against that. The signed cookie implementation, for example, uses the cookie *name* as part of the salt, so that all cookies have their own key. The salt is not a secret, so doesn't provide any additional protection against brute force attacks, but it isn't meant to. Luke -- "Making it up? Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/
-- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.