--- Ryan Davis <[EMAIL PROTECTED]> wrote:
> First of all, thanks for the quick response. This application isn't in use
> yet, so now is the time to make security changes
>
> A few questions/let me see if I'm following you:
>
> A user enters their password, I create the digest, and store the digest as a
> cookie. This is secure since you can't recreate the digest without knowing
> $rand.
>
> When they change pages (states in the script) the CGI reads the cookie, and
> converts the digest to password, and verifies it?
>
> How is the conversion from digest to password done? I check my docs, and it
> doesn't say anything about getting the message _out_ of digest form.
>
> Thanks,
> Ryan
Ryan,
It is mathematically improbable that you can convert from the digest to the password.
That is why
digests are often used to store passwords. If a cracker breaks into your box and
snags a list of
'digested' passwords, they can't recover the passwords. In short, you *can't* get the
message out
of digest form.
Here's how it works: you have a new user sign up and you issue them a user name and
password.
Then, you have your digest creation function that I gave you create a digest from the
password.
You save this digest in the database or flat file or whatever. You *never* save the
password.
Later, when they log in, you recreate a digest from the password using the *exact*
same digest
creation function. Then, you compare the computed digest with what's in the database.
If they
match, the user is good and you can send the digest in the cookie. Later, when you
retrieve the
cookie, you just compare its value to what's in the database (no need to recompute).
The important thing to remember is that whenever a digest is created from a password,
the function
NEVER CHANGES. I would put the "create_digest_from_password" function in a module so
that all
scripts are guaranteed to access the same function.
If you're looking for a more sophisticated version of this, you can read
http://www.perlmonks.org/index.pl?node_id=101247. In this post, I was asking about
advice on a
security model I was developing. It's object-oriented Perl and some of it may be
confusing, but
if you read through it you can see the framework of a session-oriented authentication
system. If
you're new to Perl, though, it might be a bit confusing.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
