mercredi 12 août 2015

What makes a string / token cryptographically secure?

If you need to generate a string / token to authenticate future requests (e.g. an API key, an email confirmation URL, etc.), what factors should be considered?

In particular

  • What makes the string "secure" / "very hard to guess"?
  • How is the "security amount" measured / estimated?
  • What are the main standards out there?

A practical example

Let's take these two output strings from NodeJS.

String 1 (through Node crypto)

var crypto = require('crypto');
crypto.randomBytes(48, function (ex, buf) {
  console.log(buf.toString('hex'));
});

String 2 (through Node UUID)

var uuid = require('node-uuid');
console.log(uuid.v4());

Based on the concepts outlined above, which one would be more secure and why?

Also, please feel free to suggest any good introductory material on the topic, as I couldn't easily find articles about this online.




Aucun commentaire:

Enregistrer un commentaire