smullis has asked for the wisdom of the Perl Monks concerning the following question:

You guys seem like you know your onions...

Can I ask for a quick sanity check on an idea?

Background -

I'm not convinced that this is safe from cookie poisoning (the values of some of the keys would be easy to guess). Also, I would like the mod_perl app to be flexible enough to react to any combination of values with which it is presented (i.e. for values that do not yet exist).

I am thinking that if the ASP system digitally signed the values in the cookie (using its private key) then the mod_perl app could be sure that they originated there and only there and act accordingly.

Is this a valid approach?

Many thanks in advance and apologies for the not-directly-perl-related nature of this post.


SM

  • Comment on [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

Replies are listed 'Best First'.
Re: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
by perrin (Chancellor) on Nov 05, 2004 at 18:28 UTC
    The way to prevent tampering with a cookie using MD5 is described well here, although you may wish to use SHA1 instead these days. It doesn't hide the contents of the cookie, but it makes it impossible for someone else who doesn't know the key to generate a valid hash signature for their own content.
[reply]
Re: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
by hardburn (Abbot) on Nov 05, 2004 at 17:31 UTC

    I don't think there is enough information to provide any advice. I can tell you that MD5 should not be relied on (use SHA1 instead). I also don't see where 3DES comes into it, but if you're using that, you're probably better off with AES instead.

    "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

[reply]

      This is certainly a fair comment...

      As far as I understand MD5 (or SHA1) are simply one-way functions with no key involved. I would like to use something that ensures the validity of the source of the cookie data - and digital signing with a private key would seem - to me at least - to be the way forward. I have not yet put any thought into what asymmetric enryption scheme to use... 3DES v. AES etc.

      To resummarise / clarify the requirements:

        Certain key / value pairs need to be passed from a Windows based frontend web app to a mod_perl based app.
        Such as:
          Authentication status
          Target id
          .... plus a bunch of other values
        The mod_perl app has no access to the core source data used by the frontend app.
        I don't really care if a man-in-the-middle can read the cookie values, but I do absolutely care that only the web frontend app thingummyjob gets the relevant dynamic content in response...

      Apologies if I am still not making myself clear!!

      Cheers

      SM

[reply]
        
Mod_perl side:
use MD5;

$date = get_todays_shortdate();  # 11/05/2004
$Private_secret = "This is my private server password"
$data = "this is my signed data."

$digest = MD5->hash("$date:$Private_secret:$data");

        [download]
        Send the digest and the data over to the other server and it knows the Private_secret and can verify that the data has been signed by constructing the same string calling md5->hash on it and comparing the two digests... If the hacker does not know the private_secret or the layout of the digest string then they cant forge the $data sig.


        -Waswas
[reply]
[d/l]

        It sounds like you've got the right idea, but you might want to read up a little more on cryptography. AES and DES are not asymetric algorithms. I suggest reading Applied Cryptography by Bruce Schneier. Or maybe Practical Cryptography by the same author, but I haven't looked at that one yet.

        "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

[reply]

Back to Seekers of Perl Wisdom