Curtis,
are you sure that sending the digest back to the client in cookie form is a
good idea?
I mean, if I were a hacker, could I not register and then retrieve the
digest - you then have the plain text and the cipher text. (admittedly you
would have to know that whats in your cookie is a digest rather than another
form of session id but stilll...)
I'm not sure how easy it is then discover which algorithm is used when you
have the plain & cipher but, seeing as MD5, is fairly popular - that might
be a good starting point for the hacker to mount an assault on discovering
the function.
joel
-----Original Message-----
From: Curtis Poe [mailto:[EMAIL PROTECTED]]
Sent: 08 August 2001 17:38
To: CGI Beginners
Subject: Re: Cookies and Security
--- Ryan Davis <[EMAIL PROTECTED]> wrote:
> First of all, thanks for the quick response. This application isn't in
use
> yet, so now is the time to make security changes
>
> A few questions/let me see if I'm following you:
>
> A user enters their password, I create the digest, and store the digest as
a
> cookie. This is secure since you can't recreate the digest without
knowing
> $rand.
>
> When they change pages (states in the script) the CGI reads the cookie,
and
> converts the digest to password, and verifies it?
>
> How is the conversion from digest to password done? I check my docs, and
it
> doesn't say anything about getting the message _out_ of digest form.
>
> Thanks,
> Ryan
Ryan,
It is mathematically improbable that you can convert from the digest to the
password. That is why
digests are often used to store passwords. If a cracker breaks into your
box and snags a list of
'digested' passwords, they can't recover the passwords. In short, you
*can't* get the message out
of digest form.
Here's how it works: you have a new user sign up and you issue them a user
name and password.
Then, you have your digest creation function that I gave you create a digest
from the password.
You save this digest in the database or flat file or whatever. You *never*
save the password.
Later, when they log in, you recreate a digest from the password using the
*exact* same digest
creation function. Then, you compare the computed digest with what's in the
database. If they
match, the user is good and you can send the digest in the cookie. Later,
when you retrieve the
cookie, you just compare its value to what's in the database (no need to
recompute).
The important thing to remember is that whenever a digest is created from a
password, the function
NEVER CHANGES. I would put the "create_digest_from_password" function in a
module so that all
scripts are guaranteed to access the same function.
If you're looking for a more sophisticated version of this, you can read
http://www.perlmonks.org/index.pl?node_id=101247. In this post, I was
asking about advice on a
security model I was developing. It's object-oriented Perl and some of it
may be confusing, but
if you read through it you can see the framework of a session-oriented
authentication system. If
you're new to Perl, though, it might be a bit confusing.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
