Re: [hybi] why did rfc6455 choose the 16-byte sec_websocket_key

Juan Li <ruoqiu.lee@gmail.com> Mon, 27 February 2012 14:38 UTC

Return-Path: <ruoqiu.lee@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CA9F21F8737 for <hybi@ietfa.amsl.com>; Mon, 27 Feb 2012 06:38:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.299, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXAftC1nauyq for <hybi@ietfa.amsl.com>; Mon, 27 Feb 2012 06:38:57 -0800 (PST)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id E3A2421F8734 for <hybi@ietf.org>; Mon, 27 Feb 2012 06:38:57 -0800 (PST)
Received: by dakl33 with SMTP id l33so883283dak.31 for <hybi@ietf.org>; Mon, 27 Feb 2012 06:38:57 -0800 (PST)
Received-SPF: pass (google.com: domain of ruoqiu.lee@gmail.com designates 10.68.218.231 as permitted sender) client-ip=10.68.218.231;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ruoqiu.lee@gmail.com designates 10.68.218.231 as permitted sender) smtp.mail=ruoqiu.lee@gmail.com; dkim=pass header.i=ruoqiu.lee@gmail.com
Received: from mr.google.com ([10.68.218.231]) by 10.68.218.231 with SMTP id pj7mr41326133pbc.63.1330353537015 (num_hops = 1); Mon, 27 Feb 2012 06:38:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7wmNx5TmteB5DqIL330oWVrMeNCdyUptiwIT7/3S1So=; b=AWpeO7WFg64FMBrCiHpcAYGJXVZLgLdbEWj0Gje/JQ5Yhb7w8MeS8prxCWyjQdv4R3 VW2Be0eZri26XBIeVPDUBvpuZuSZHYFLkNNLzgGRjlpu5xAqMIw/H+7SA7xj0GEnuYAF ku3yhs99ekEv1Of14k3mYOmFAv4hxnS8gq0UM=
MIME-Version: 1.0
Received: by 10.68.218.231 with SMTP id pj7mr35149069pbc.63.1330353536838; Mon, 27 Feb 2012 06:38:56 -0800 (PST)
Received: by 10.68.223.36 with HTTP; Mon, 27 Feb 2012 06:38:56 -0800 (PST)
In-Reply-To: <CABLsOLAAahj0h=ZSWmeY9Pe5G5ih0+cQgZZDJNK6zZPUA8Z0Wg@mail.gmail.com>
References: <CAJoFd64KsUOSd2qgymoUL+YP45aj1_xMz9Eva-aP+VXOBNtR8Q@mail.gmail.com> <CABLsOLAAahj0h=ZSWmeY9Pe5G5ih0+cQgZZDJNK6zZPUA8Z0Wg@mail.gmail.com>
Date: Mon, 27 Feb 2012 22:38:56 +0800
Message-ID: <CAJoFd67tcWX=ePWoFURZhYwiJfSmGZrJGQE3vsyFCni5QonJ8w@mail.gmail.com>
From: Juan Li <ruoqiu.lee@gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="047d7b2ed26dfd2bc404b9f311cb"
Cc: hybi@ietf.org
Subject: Re: [hybi] why did rfc6455 choose the 16-byte sec_websocket_key
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2012 14:38:59 -0000

What kind of security implications? eg., how do that kind of security
problems happen?

Thanks,
juanzi.

2012/2/20 John Tamplin <jat@google.com>

>  On Sun, Feb 19, 2012 at 4:38 AM, juan li <ruoqiu.lee@gmail.com> wrote:
>
>>        Why does rfc6455 choose the 16-byte sec_websocket_key?  When
>> encoded, it occupies 24 bytes. The sec_websocket_accept occupies 28 bytes.
>> They are so long.
>> Why not choose a shorter key?
>>
>
> A shorter key has security implications, and since this happens once per
> handshake the cost is negligible.
>
> --
> John A. Tamplin
> Software Engineer (GWT), Google
>