Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Tamper-proofing vs. encryption

by gaal (Parson)
on Jun 29, 2004 at 14:31 UTC ( [id://370489]=note: print w/replies, xml ) Need Help??


in reply to Is this a secure way to prevent cookie tampering

Apart from protecting yourself from spoofing, do you need to encrypt the data inside the cookie?

If you're just looking for a way to make a tamper-proof ticket, you can send the ticket data in the clear, plus a MAC (message authentication code). One advantage is that if you update the structure of the ticket, you don't need to change the decryption routine: there *is* no decryption routine. You receive a ticket, check that it is valid, and trust everything in it. (Actually, you could refactor your code to allow this in your approach as well.)

Also, in a real-world case you'll probably want to add an issue timestamp so that you can expire old tickets quickly — in the cleartext version, even before you waste CPU on crypto.

Replies are listed 'Best First'.
Re: Tamper-proofing vs. encryption
by EvdB (Deacon) on Jun 29, 2004 at 15:38 UTC
    Thank you. I will look into just using Digest::EMAC instead of all the encryption. I suppose the encryption was just used to ensure that the checksum was not tampered with, which the MAC would achieve.

    --tidiness is the memory loss of environmental mnemonics

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://370489]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (7)
As of 2024-04-19 08:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found