Hi, Felipe! Thank you for sharing! The one question I have is there some good way to generate unique nonces?
сб, 23 мая 2015 г. в 22:01, Tobias Dammers <tdamm...@gmail.com>: > Looks useful; feature request: something like > > nonce :: MonadIO => Int -> Generator > > (plus -url and -T flavors, obviously). I believe allowing the programmer > to balance security vs. usability demands would be a good thing overall > and worth a knob. > > -> m ByteString > On Fri, May 22, 2015 at 08:06:18PM -0300, Felipe Lessa wrote: > > (Please forgive me if you received multiple copies of this e-mail.) > > > > Hello, > > > > The nonce package [1] contains functions to easily generate > > cryptographic nonces for many situations. Some places where these > > generated nonces can be used include: > > > > - Password recovery e-mail tokens. > > > > - XSRF protection tokens. > > > > - Session IDs sent on cookies. > > > > - Initialization vectors. > > > > It uses an AES CPRNG periodically reseeded from /dev/urandom (or > > equivalent). It has no frills, no knobs, so it's hard to misuse. It's > > been available for an year but I just realized I've never properly > > announced it. > > > > Regrettably, I've seen many uses of the random package (System.Random) > > when generating nonces. It's a bad choice: it is not a > > cryptographically secure PRNG, contains low entropy (64-bit state), and > > its default usage is seeded predictably (using a constant seed). Please > > avoid using the random package for generating nonces at all costs. In > > its stead, use the nonce package or something similar. > > > > Cheers, > > > > [1] http://hackage.haskell.org/package/nonce > > > > -- > > Felipe. > > > > > > > _______________________________________________ > > Haskell mailing list > > Haskell@haskell.org > > http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell > > > -- > Tobias Dammers - tdamm...@gmail.com > _______________________________________________ > Haskell-Cafe mailing list > haskell-c...@haskell.org > http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe >
_______________________________________________ Haskell mailing list Haskell@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell
