CSRF cipher in xor + base64 or Vignere cipher

[Asif Saifuddin]

Hi,

Just start working on this ticket https://code.djangoproject.com/ticket/20869

wondering what should be the preferred way ?

using XOR or Vignere Cipher?

Reagrds

[Erik Romijn]

Hello,

In the context of a one time pad on the CSRF token, I don’t see a security advantage to either cipher here. If I read correctly, the argument for Vignere is that it can already produce output suitable for inclusion in form values, not requiring base64 encoding of the one time pad.

I’ve looked up the current implementations that have been contributed:

Here’s the XOR+base64 implementation:

https://github.com/django/django/compare/66285eb2a7a6fb3e6ec0eec0bbc15a5e94215872#diff-a3be722ce2831a8d11438021d44cedf1R62

And the Vignere implementation:

https://github.com/django/django/pull/1477/files#diff-a3be722ce2831a8d11438021d44cedf1R40

Though the Vignere implementation means that base64 is not required and is significantly shorter, it seems considerably more complex and error prone. I can’t instantly see whether this implementation is correct. The XOR+base64 implementation, on the other hand, is straight forward and obvious. Therefore, if the current implementations are a proper measure for the complexity of implementing either option, XOR+base64 is my strong preference. Slightly more work, but substantially simpler, reducing the risk of overlooked implementation errors.

Erik

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/3d23b87e-c153-4035-a838-331d5bc9cd1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Adam Brenecki]

To be fair to the Vigenère cipher algorithm, it is insanely simple; I think when I wrote the implementation in that pull request, I was probably inappropriately using lambdas and generator expressions, and in doing so making it look more complicated than it really is.

A neater, more readable Vigenère cipher (that is still logically equivalent to the first one) might look like this: https://gist.github.com/adambrenecki/3b4d75ba039e6e455f7c .

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/10CE5813-C1DA-4231-8721-36A2AEEB8748%40solidlinks.nl.