Constructing "capability" URLs
Don Davis
dtd at world.std.com
Wed Sep 4 18:45:46 EDT 2002
At 1:53 PM +0800 9/4/02, Ng Pheng Siong wrote:
> I'm building a web app which... constructs URLs on the fly.
...
> I'm creating the capability thusly:
> cap = hmac-sha1(key, "/object?action=something&expiry=timeval")
> My questions:
...
> 2. The key is created from /dev/random. How long should it
> be? In my threat model, the key changes every few hours.
>
> 3. Any other thoughts?
use /dev/urandom (the psudorandomly-amplified version
of /dev/random), and you can change the key more
frequently, without emptying /dev/random's entropy
buffer. unless i'm missing something, /dev/urandom
is secure enough for your application.
- don davis, boston
-
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list