Re: CSRF prevention token, why not HMAC_sha1(secret, action_name + session_id)?

---

• From: Kristian Gjøsteen <kristiag+news@xxxxxxxxxxxx>
• Date: Wed, 12 Aug 2009 11:08:10 +0000 (UTC)

---

oddmund <oddmund.mogedal@xxxxxxxxx> wrote:

[...]
HMAC_sha1(action_name + secret, session_id)
[... vs ...]
HMAC_sha1(secret, action_name + session_id)
[...]
Would this make any difference from a security perspective, or is it
equivalent?.

For your purposes, it would seem equivalent.

--
Kristian Gjøsteen
.

---

• Follow-Ups:
  • Re: CSRF prevention token, why not HMAC_sha1(secret, action_name + session_id)?
    • From: Rob Warnock

• References:
  • CSRF prevention token, why not HMAC_sha1(secret, action_name + session_id)?
    • From: oddmund

• Prev by Date: Re: crypto-related movies
• Next by Date: Re: ASCII_Modulated _Trapdoor Cipher – New Cryptography.
• Previous by thread: CSRF prevention token, why not HMAC_sha1(secret, action_name + session_id)?
• Next by thread: Re: CSRF prevention token, why not HMAC_sha1(secret, action_name + session_id)?
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > sci.crypt  > 2009-08