On Mar 29, 9:49 pm, Brad Ediger <[EMAIL PROTECTED]> wrote:
> > 2. Entropy
> > Related to #1: to resist brute force attacks, you really want 128
> > bits, and preferably 256 bits, of entropy. The source code suggests
> > "some secret phrase", which is unlikely to come even close. The way
> > to create a key is to use a PRNG seeded with true, system level
> > entropy.
>
> Agreed that "some secret phrase" will not yield 256 or even 128 bits
> of entropy. But the Rails app generator uses a version of
> generate_unique_id, which uses just about all of the system-level
> entropy available to Ruby. Granted, it's an MD5 hash (thus an upper
> limit of 128 bits of entropy), not a cryptographic PRNG, but it is
> better than a user-entered phrase by far.
Missed that - which file is this in?
> I'm not sure how an ephemeral key would work given that sessions may
> stick around arbitrarily long... were you suggesting that there is a
> solution, or were you only pointing out the problem?
Sessions would need to be refreshed - automatically by any request -
or would indeed expire.
> This has been very enlightening. Thanks for taking the time to write
> this up.
You're most welcome.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
