librelist archives

« back to archive

Change in the default encryption mode - Backward incompatible

Change in the default encryption mode - Backward incompatible

From:
Loic d'Anterroches
Date:
2011-03-16 @ 11:10
Hello,

As I am slowly learning about cryptography, I finally found what should
be done for cryptography, hashing and signing:

- signing: hmac with sha1 algorithm.
- hashing (passwords): crypt with blowfish algorithm.
- encryption/decryptino: twofish with CFB mode.

Signing is done and good. Hashing is not yet used in Photon, so nothing
to worry about, we will just use the right way right from the start.

Encryption is bad, we are using twofish and ecb mode to not have to use
an initialisation vector to save space for encrypted cookies in the
session storage. This is stupid. I am going to add a cookie with the IV
(it is not a problem to have it publicly available) and this will allow
us to have a really robust system.

Yes, I want all the crypto stuff to be top notch for Photon to sleep
well at night.

loïc

--
Indefero - Project management and code hosting - http://www.indefero.net
Photon - High Performance PHP Framework - http://photon-project.com
Céondo Ltd - Web + Science = Fun - http://www.ceondo.com