On Aug 2, 2009, at 1:41 PM, mdipierro wrote: > > grrr. you are right. what about > > auth.settings.hmac_secret_key='<replace this>' > > and modify admin so that when a new app is created '<replace this>' is > replaced by a something like str(uuid.uuid4())? > > Want to send me a patch?
I'll leave the patch to Fran, but note that FIPS-198a says this about HMAC keys: > The size of the key, K, shall be equal to or greater than L/2, where > L is the size of the > hash function output. Note that keys greater than L bytes do not > significantly increase the > function strength. Applications that use keys longer than B-bytes > shall first hash the key > using H and then use the resultant L-byte string as the HMAC key, K. So for SHA-512, that means 32-64 bytes. How about using random with a timestamp seed? > Massimo > > On Aug 2, 3:33 pm, Fran <francisb...@googlemail.com> wrote: >> On Aug 2, 9:21 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: >> >>> or better >>> auth.hmac_key_auto() >>> which would gererate a random key store it in private/hmac.key and >>> retrieve it when needed. >> >> Lovely :) >> >> BUT wouldn't work on GAE (no filesystem access), so the other option >> needs to be there too for GAE apps... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
