couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: JavaScript bcrypt (was Re: authentication cleanup)
Date Wed, 27 Jan 2010 18:31:35 GMT
On Wed, Jan 27, 2010 at 08:12:28AM -0800, Jan Lehnardt wrote:
> Quoting http://en.wikipedia.org/wiki/HMAC:
> 
>   "The values of ipad and opad are not critical to the security of the algorithm"
> 
> If you mean these by "secret",  otherwise I don't follow.

*The* secret. HMAC is a function with two inputs: the thing you want to
hash, and a secret.

Basically what you get is a sort of signature which can only be constructed
(or verified) when you know the secret. It's a more secure construction than
Hash(secret || value), but basically achieves what you were trying to
achieve from that.

Details in RFC 2104.

You can see in couchdb that HMAC is used for verifying cookies in the cookie
auth module (signing them with the server secret)

Mime
View raw message