Hacker News new | past | comments | ask | show | jobs | submit login

So, is there much to be gained from encryption anyway? If, as the candidate, I suggested sending a cookie as 'userId=39493&role=user&timestamp=1414919&hash=<sha256-of-key-with-data>' then would I lose brownie points?

I assume my hash comparison function is constant time (eg. XOR(a[x],b[x])==0), rather than comparing of char-by-char.

No. Like I said, the candidate aced the interview. Holy, he knew what CBC was! Amazing!

Often you don't need confidentiality, and in those cases, HMAC can be a safer bet than a secure encrypted message format. You want to use HMAC though, not a simple hash with a secret key in it.

> hash=<sha256-of-key-with-data>

Oops, you invented your own keyed MAC and now I can append any data I want.

Sorry, I would really be using a proper RFC 2104 HMAC implementation (eg. python's hmac module).

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact