Re: Cookies & Encryption

You can't "decrypt" the Digest::MD5 encryption. The strings produced are not necessarily unique, meaning that if someone comes across the encrypted data they cannot turn it back into the original. The best use for this is too encrypt the key to a unique user in a server side database, and check that the encrypted cookie matches the encrypted key on the server, then give the submitting user access to the associated info. merlyn goes through the whole technique very thoroughly (and with many precautions and tricks that I haven't given you) in his Web Technique column. Check out http://web.stonehenge.com/merlyn/WebTechniques/col32.html

Cheers,
Erik

Comment on Re: Cookies & Encryption

Replies are listed 'Best First'.
Re: Re: Cookies & Encryption by chiller (Scribe) on Apr 14, 2002 at 22:35 UTC
So, if I understand you right, I should make a key using Digest::MD5, store it in a database, then insert this key into a cookie. Then check for its existence in a database? But then someone could edit their cookie and log in as any user?! I suppose if someone got that key out of the database it'd be bad. Is this about as secure as is typically necessary? Also it doesn't look like that article has much to do with encryption...	[reply]
Re: Re: Cookies & Encryption by Ryszard (Priest) on Apr 15, 2002 at 02:12 UTC
The strings produced are not necessarily unique Erm, I think you may have MD5 mixed up with another algorithm. The whole point of one way hashes to to create a unique value that can be used to verify the original object.	[reply]
Re: Re: Re: Cookies & Encryption by ehdonhon (Curate) on Apr 15, 2002 at 03:31 UTC
The whole point of one way hashes to to create a unique value that can be used to verify the original object. The whole point of one way hashes is to provide a function where it is impossible to determine the input given the output. While any given input will always have the exact same output every time, a one way hash does not guarantee that given all possible inputs there will be an equal number of outputs. Thus, the strings produced are not necessarily unique. For point of illustration, consider f(x) = 1. This is a one way hash. While not a very useful one, it does illustrate that not all values produced are unique.	[reply]
Re: Re: Re: Re: Cookies & Encryption by Ryszard (Priest) on Apr 15, 2002 at 03:55 UTC
Point taken. I was however speaking from an application programmer POV, which in this context i think validates my original statement. I will go on to mention i'm not a technical wizard when its comes to math and crypto, and so your more technical definition is well recieved.	[reply]
Re: Re: Re: Re: Re: Cookies & Encryption by kappa (Chaplain) on Apr 16, 2002 at 14:28 UTC