Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re^9: encrypt/decrypt string

by pKai (Priest)
on Oct 27, 2006 at 06:25 UTC ( [id://580870]=note: print w/replies, xml ) Need Help??


in reply to Re^8: encrypt/decrypt string
in thread encrypt/decrypt string

  1. ...?id=mylogin
    attacker knows other users login or guesses it and can easily impersonate as that user.
  2. ...?id=myloginecrypted
    attacker knows other users login and can deduce the encoding/encrpytion sceme (e.g. by deriving from his own login->loginencrypted; i.e. "plain text attack"). One more hurdle compared to (1), but not really that harder.
  3. ...?id=randomtokenmatchedbyservertouser
    Here there is no encryption to guess. Attacker actually has to get hold of the token for the user he wants to impersonate (Which works for (2) too, of course)
Seems you want to avoid (1) by choosing (2), which is not really an improvement IMHO. The alternative (3), proposed by others in this thread, is far "safer" with respect to your goal.

Replies are listed 'Best First'.
Re^10: encrypt/decrypt string
by artist (Parson) on Oct 27, 2006 at 14:38 UTC
    In (2): Attacker has to guess A. encryption type and B. 'salt' used. What if 'salt' required for encryption is deduced from login, by some magic formula?
    --Artist

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://580870]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (6)
As of 2024-03-29 09:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found