Hi, Felipe! Thank you for sharing!

The one question I have is there some good way to generate unique nonces?

сб, 23 мая 2015 г. в 22:01, Tobias Dammers <tdammers@gmail.com>:

Looks useful; feature request: something like

    nonce :: MonadIO => Int -> Generator

(plus -url and -T flavors, obviously). I believe allowing the programmer
to balance security vs. usability demands would be a good thing overall
and worth a knob.

-> m ByteString
On Fri, May 22, 2015 at 08:06:18PM -0300, Felipe Lessa wrote:
> (Please forgive me if you received multiple copies of this e-mail.)
>
> Hello,
>
> The nonce package [1] contains functions to easily generate
> cryptographic nonces for many situations.  Some places where these
> generated nonces can be used include:
>
>   - Password recovery e-mail tokens.
>
>   - XSRF protection tokens.
>
>   - Session IDs sent on cookies.
>
>   - Initialization vectors.
>
> It uses an AES CPRNG periodically reseeded from /dev/urandom (or
> equivalent).  It has no frills, no knobs, so it's hard to misuse.  It's
> been available for an year but I just realized I've never properly
> announced it.
>
> Regrettably, I've seen many uses of the random package (System.Random)
> when generating nonces.  It's a bad choice: it is not a
> cryptographically secure PRNG, contains low entropy (64-bit state), and
> its default usage is seeded predictably (using a constant seed).  Please
> avoid using the random package for generating nonces at all costs.  In
> its stead, use the nonce package or something similar.
>
> Cheers,
>
> [1] http://hackage.haskell.org/package/nonce
>
> --
> Felipe.
>



> _______________________________________________
> Haskell mailing list
> Haskell@haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell


--
Tobias Dammers - tdammers@gmail.com
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe