[Haskell-cafe] [Haskell] ANN: nonce package
heraldhoi at gmail.com
Sun Jun 7 08:26:45 UTC 2015
Hi, Felipe! Thank you for sharing!
The one question I have is there some good way to generate unique nonces?
сб, 23 мая 2015 г. в 22:01, Tobias Dammers <tdammers at gmail.com>:
> Looks useful; feature request: something like
> nonce :: MonadIO => Int -> Generator
> (plus -url and -T flavors, obviously). I believe allowing the programmer
> to balance security vs. usability demands would be a good thing overall
> and worth a knob.
> -> m ByteString
> On Fri, May 22, 2015 at 08:06:18PM -0300, Felipe Lessa wrote:
> > (Please forgive me if you received multiple copies of this e-mail.)
> > Hello,
> > The nonce package  contains functions to easily generate
> > cryptographic nonces for many situations. Some places where these
> > generated nonces can be used include:
> > - Password recovery e-mail tokens.
> > - XSRF protection tokens.
> > - Session IDs sent on cookies.
> > - Initialization vectors.
> > It uses an AES CPRNG periodically reseeded from /dev/urandom (or
> > equivalent). It has no frills, no knobs, so it's hard to misuse. It's
> > been available for an year but I just realized I've never properly
> > announced it.
> > Regrettably, I've seen many uses of the random package (System.Random)
> > when generating nonces. It's a bad choice: it is not a
> > cryptographically secure PRNG, contains low entropy (64-bit state), and
> > its default usage is seeded predictably (using a constant seed). Please
> > avoid using the random package for generating nonces at all costs. In
> > its stead, use the nonce package or something similar.
> > Cheers,
> >  http://hackage.haskell.org/package/nonce
> > --
> > Felipe.
> > _______________________________________________
> > Haskell mailing list
> > Haskell at haskell.org
> > http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell
> Tobias Dammers - tdammers at gmail.com
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haskell-Cafe