On 12/20/07, tekwiz <[EMAIL PROTECTED]> wrote: > > On Dec 20, 5:06 am, "Isak Hansen" <[EMAIL PROTECTED]> wrote: > > On 12/19/07, tekwiz <[EMAIL PROTECTED]> wrote: > > > > > > 1) Change the default hash used in the cookies to SHA256 as a hole > > > was semi-recently found in SHA1. > > > > I don't mind either way, another few bytes couldn't hurt if the > > algorithm is readily available. > > > > But which attack on SHA1 are you referring to? Any 'feasible' attack > > I've seen involves finding collisions, i.e. one person creating two > > messages with the same digest, which is of no significance here. > > The problem is that when somebody can find a collision, they can use > those collisions to effectively reverse the hash to determine the > secret key. >
I already cited an article that touch on the topic, but probably should have linked RFC 4270: Attacks on Cryptographic Hashes in Internet Protocols[1], which is written specifically to elaborate on this issue. Regards, Isak [1] <http://tools.ietf.org/html/rfc4270> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
