[Haskell-cafe] [Haskell] ANN: nonce package

Geraldus heraldhoi at gmail.com
Sun Jun 7 08:26:45 UTC 2015


Hi, Felipe! Thank you for sharing!

The one question I have is there some good way to generate unique nonces?

сб, 23 мая 2015 г. в 22:01, Tobias Dammers <tdammers at gmail.com>:

> Looks useful; feature request: something like
>
>     nonce :: MonadIO => Int -> Generator
>
> (plus -url and -T flavors, obviously). I believe allowing the programmer
> to balance security vs. usability demands would be a good thing overall
> and worth a knob.
>
> -> m ByteString
> On Fri, May 22, 2015 at 08:06:18PM -0300, Felipe Lessa wrote:
> > (Please forgive me if you received multiple copies of this e-mail.)
> >
> > Hello,
> >
> > The nonce package [1] contains functions to easily generate
> > cryptographic nonces for many situations.  Some places where these
> > generated nonces can be used include:
> >
> >   - Password recovery e-mail tokens.
> >
> >   - XSRF protection tokens.
> >
> >   - Session IDs sent on cookies.
> >
> >   - Initialization vectors.
> >
> > It uses an AES CPRNG periodically reseeded from /dev/urandom (or
> > equivalent).  It has no frills, no knobs, so it's hard to misuse.  It's
> > been available for an year but I just realized I've never properly
> > announced it.
> >
> > Regrettably, I've seen many uses of the random package (System.Random)
> > when generating nonces.  It's a bad choice: it is not a
> > cryptographically secure PRNG, contains low entropy (64-bit state), and
> > its default usage is seeded predictably (using a constant seed).  Please
> > avoid using the random package for generating nonces at all costs.  In
> > its stead, use the nonce package or something similar.
> >
> > Cheers,
> >
> > [1] http://hackage.haskell.org/package/nonce
> >
> > --
> > Felipe.
> >
>
>
>
> > _______________________________________________
> > Haskell mailing list
> > Haskell at haskell.org
> > http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell
>
>
> --
> Tobias Dammers - tdammers at gmail.com
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150607/d591a04a/attachment.html>


More information about the Haskell-Cafe mailing list