Hello, In the context of a one time pad on the CSRF token, I don’t see a security advantage to either cipher here. If I read correctly, the argument for Vignere is that it can already produce output suitable for inclusion in form values, not requiring base64 encoding of the one time pad.
I’ve looked up the current implementations that have been contributed: Here’s the XOR+base64 implementation: https://github.com/django/django/compare/66285eb2a7a6fb3e6ec0eec0bbc15a5e94215872#diff-a3be722ce2831a8d11438021d44cedf1R62 <https://github.com/django/django/compare/66285eb2a7a6fb3e6ec0eec0bbc15a5e94215872#diff-a3be722ce2831a8d11438021d44cedf1R62> And the Vignere implementation: https://github.com/django/django/pull/1477/files#diff-a3be722ce2831a8d11438021d44cedf1R40 <https://github.com/django/django/pull/1477/files#diff-a3be722ce2831a8d11438021d44cedf1R40> Though the Vignere implementation means that base64 is not required and is significantly shorter, it seems considerably more complex and error prone. I can’t instantly see whether this implementation is correct. The XOR+base64 implementation, on the other hand, is straight forward and obvious. Therefore, if the current implementations are a proper measure for the complexity of implementing either option, XOR+base64 is my strong preference. Slightly more work, but substantially simpler, reducing the risk of overlooked implementation errors. Erik > On 07 Mar 2015, at 13:31, Asif Saifuddin <[email protected]> wrote: > > Hi, > > Just start working on this ticket https://code.djangoproject.com/ticket/20869 > > wondering what should be the preferred way ? > > using XOR or Vignere Cipher? > > > Reagrds > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at http://groups.google.com/group/django-developers > <http://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/3d23b87e-c153-4035-a838-331d5bc9cd1d%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/3d23b87e-c153-4035-a838-331d5bc9cd1d%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/10CE5813-C1DA-4231-8721-36A2AEEB8748%40solidlinks.nl. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using GPGMail
