[11617] in cryptography@c2.net mail archive
Re: Constructing "capability" URLs
daemon@ATHENA.MIT.EDU (Don Davis)
Wed Sep 4 21:49:17 2002
In-Reply-To: <20020904135349.A213@vista.netmemetic.com>
Date: Wed, 4 Sep 2002 18:45:46 -0400
To: Ng Pheng Siong <ngps@netmemetic.com>
From: Don Davis <dtd@world.std.com>
Cc: cryptography@wasabisystems.com
At 1:53 PM +0800 9/4/02, Ng Pheng Siong wrote:
> I'm building a web app which... constructs URLs on the fly.
...
> I'm creating the capability thusly:
> cap = hmac-sha1(key, "/object?action=something&expiry=timeval")
> My questions:
...
> 2. The key is created from /dev/random. How long should it
> be? In my threat model, the key changes every few hours.
>
> 3. Any other thoughts?
use /dev/urandom (the psudorandomly-amplified version
of /dev/random), and you can change the key more
frequently, without emptying /dev/random's entropy
buffer. unless i'm missing something, /dev/urandom
is secure enough for your application.
- don davis, boston
-
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
