On 12/18/07, tekwiz <[EMAIL PROTECTED]> wrote: > After looking at the controversy, delving into my security textbook, > and reading some articles on hashing, I would like to recommend some > tweaks to the CookieSesson defaults and the new 'rake secret'. > > 1) Change the default hash used in the cookies to SHA256 as a hole > was semi-recently found in SHA1. > > 2) Make 'rake secret' use the lengthier SHA512 hash and output the > secret key in base64, or better yet, in a binary string. The 30 > character length requirement will require multiple hashes to be > generated; however, it will add a significant amount of entropy to > every character. (The limited character set in a hex-characters-only > key may lead to a differential cryptanalysis -- I'm no crypto-expert, > so if someone else knows different, please ease my mind) > OR > 3) Make 'rake secret' use OpenSSL to generate the secret key. > > 4) Add, at least an option, to hash the IP address of the user into > the cookie's hash. This should prevent against replay attacks > automatically without the application developer having to write in > this check. > > I am willing to write the patches for any/all of these changes.
Great! These are fine changes and your efforts are quite welcome. > Also, I noted that a secret key was also set in a comment in the > generated ApplicationController. I assume that this is unnecessary > since the secret is set by default in the environment.rb. I recommend > taking this out of the ApplicationController, assuming it's > unnecessary. Agreed. > And a comment on previous thoughts about using asymmetric key > cryptography for generating a signature: I don't recommend this as it > is much much more processor intensive than generating a > cryptographically secure hash, and a cryptographically secure hash is > probably just as effective -- for now. > > If I'm beating a dead horse on any of this, I apologize. I tried to > do as much research on the controversy as possible, but I, of course, > could have missed some things. Not at all. I look forward to your patches! Best, jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
