Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Is this a secure way to prevent cookie tampering

by exussum0 (Vicar)
on Jun 30, 2004 at 13:02 UTC ( [id://370748]=note: print w/replies, xml ) Need Help??


in reply to Is this a secure way to prevent cookie tampering

If you need to store any information in the cookie, because doing db lookups for same tiny pieces of information, such as a username, user id or some sorta preference.

1. Encrypt it.
2. bin2hex/urlencode/uuencode it.
3. take the md5 and append it.

If the md5 of the encrypted info doesn't match the md5 of the encrypted/md5 part, you know someone was tampering with it.

Yes, you can do a lot of caching tricks server side, but sometimes, you don't have a choice. -s

Bart: God, Schmod. I want my monkey-man.

  • Comment on Re: Is this a secure way to prevent cookie tampering

Replies are listed 'Best First'.
Re^2: Is this a secure way to prevent cookie tampering
by Anonymous Monk on Jun 30, 2004 at 16:46 UTC
    1. Encrypt it.
    2. bin2hex/urlencode/uuencode it.
    3. take the md5 and append it.
    Take the md5 of what? If you md5 the ciphertext, an attacker can still flip bits as I described elsewhere in this thread, then recompute the md5. If you md5 the plaintext, that may allow him to launch a dictionary attack. For best results, use a real keyed MAC function.

    And I thought everybody knew better than to use md5 for new development by now.

[reply]
      md5 the plain text and then encrypt that. if you are worried about plaintext attacks, gzip the plain text to turn it to binary first.

      TIMTOWTDI.

      Bart: God, Schmod. I want my monkey-man.

[reply]
        TIMTOWTDI
        Yes, there is more than one way. Many of the ways are booby trapped, though. It's best to be somewhat less offhand about proposing new cryptographic protocols.

        if you are worried about plaintext attacks, gzip the plain text to turn it to binary first.
        Binary data is still plaintext to a cryptographer. Gzipping can reduce some redundancies in the plaintext, but it also introduces its own structure.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://370748]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2024-04-25 17:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found