[Haskell-cafe] [Haskell] ANN: nonce package

Geraldus heraldhoi at gmail.com
Sun Jun 7 09:44:02 UTC 2015 

Also it is good to make a new generator in function which
produces a nonce? E.g.

generateNonce :: forall (m :: * -> *). (MonadIO m, Functor m) => m Text
generateNonce =
  do g <- new
     nonce128urlT g



вс, 7 июня 2015 г. в 13:26, Geraldus <heraldhoi at gmail.com>:

> Hi, Felipe! Thank you for sharing!
>
> The one question I have is there some good way to generate unique nonces?
>
> сб, 23 мая 2015 г. в 22:01, Tobias Dammers <tdammers at gmail.com>:
>
>> Looks useful; feature request: something like
>>
>>     nonce :: MonadIO => Int -> Generator
>>
>> (plus -url and -T flavors, obviously). I believe allowing the programmer
>> to balance security vs. usability demands would be a good thing overall
>> and worth a knob.
>>
>> -> m ByteString
>> On Fri, May 22, 2015 at 08:06:18PM -0300, Felipe Lessa wrote:
>> > (Please forgive me if you received multiple copies of this e-mail.)
>> >
>> > Hello,
>> >
>> > The nonce package [1] contains functions to easily generate
>> > cryptographic nonces for many situations.  Some places where these
>> > generated nonces can be used include:
>> >
>> >   - Password recovery e-mail tokens.
>> >
>> >   - XSRF protection tokens.
>> >
>> >   - Session IDs sent on cookies.
>> >
>> >   - Initialization vectors.
>> >
>> > It uses an AES CPRNG periodically reseeded from /dev/urandom (or
>> > equivalent).  It has no frills, no knobs, so it's hard to misuse.  It's
>> > been available for an year but I just realized I've never properly
>> > announced it.
>> >
>> > Regrettably, I've seen many uses of the random package (System.Random)
>> > when generating nonces.  It's a bad choice: it is not a
>> > cryptographically secure PRNG, contains low entropy (64-bit state), and
>> > its default usage is seeded predictably (using a constant seed).  Please
>> > avoid using the random package for generating nonces at all costs.  In
>> > its stead, use the nonce package or something similar.
>> >
>> > Cheers,
>> >
>> > [1] http://hackage.haskell.org/package/nonce
>> >
>> > --
>> > Felipe.
>> >
>>
>>
>>
>> > _______________________________________________
>> > Haskell mailing list
>> > Haskell at haskell.org
>> > http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell
>>
>>
>> --
>> Tobias Dammers - tdammers at gmail.com
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150607/9a96cc29/attachment.html>

More information about the Haskell-Cafe mailing list