On Sep 25, 12:02 pm, Luke Plant <l.plant...@cantab.net> wrote:
> In other web apps (I think Wordpress?), there have been problems
> associated with use of secret keys when the same key is used for
> different purposes throughout the application.
> ...
> - we add unique prefixes to the SECRET_KEY for every different
> place it is used. So for the e-mail confirmation link, we use
> HMAC("email-confirmation" + SECRET_KEY, message)
> - also add the ability to do SECRET_KEY rotation, as Simon
> suggested. This suggests we want a utility wrapper around hmac
> that looks like hmac(unique_key_prefix, key, message) and handles
> all the above details for us.
I share your concern. In the signed.py module I address your first
point by allowing an additional "extra_key" parameter:
>>> signed.dumps('hello', extra_key='ultra')
'UydoZWxsbycKcDAKLg.1XYDpILo5xqSwImfa3WuJJT4RPo'
>>> signed.loads(_, extra_key='ultra')
'hello'
However, this is available on dumps and loads but not on sign and
unsign - we should definitely implement it at those points instead.
I'm going to ask on some web security mailing list about best practice
for rotating keys. Do you have any further information on the
WordPress problems?
Cheers,
Simon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
