in reply to [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

I don't think there is enough information to provide any advice. I can tell you that MD5 should not be relied on (use SHA1 instead). I also don't see where 3DES comes into it, but if you're using that, you're probably better off with AES instead.

"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

  • Comment on Re: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

Replies are listed 'Best First'.
Re^2: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
by smullis (Pilgrim) on Nov 05, 2004 at 17:58 UTC

    This is certainly a fair comment...

    As far as I understand MD5 (or SHA1) are simply one-way functions with no key involved. I would like to use something that ensures the validity of the source of the cookie data - and digital signing with a private key would seem - to me at least - to be the way forward. I have not yet put any thought into what asymmetric enryption scheme to use... 3DES v. AES etc.

    To resummarise / clarify the requirements:

      Certain key / value pairs need to be passed from a Windows based frontend web app to a mod_perl based app.
      Such as:
        Authentication status
        Target id
        .... plus a bunch of other values
      The mod_perl app has no access to the core source data used by the frontend app.
      I don't really care if a man-in-the-middle can read the cookie values, but I do absolutely care that only the web frontend app thingummyjob gets the relevant dynamic content in response...

    Apologies if I am still not making myself clear!!

    Cheers

    SM

[reply]
      
Mod_perl side:
use MD5;

$date = get_todays_shortdate();  # 11/05/2004
$Private_secret = "This is my private server password"
$data = "this is my signed data."

$digest = MD5->hash("$date:$Private_secret:$data");

      [download]
      Send the digest and the data over to the other server and it knows the Private_secret and can verify that the data has been signed by constructing the same string calling md5->hash on it and comparing the two digests... If the hacker does not know the private_secret or the layout of the digest string then they cant forge the $data sig.


      -Waswas
[reply]
[d/l]

        Aha!

        Great idea...


        Cheers

        SM

[reply]

      It sounds like you've got the right idea, but you might want to read up a little more on cryptography. AES and DES are not asymetric algorithms. I suggest reading Applied Cryptography by Bruce Schneier. Or maybe Practical Cryptography by the same author, but I haven't looked at that one yet.

      "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

[reply]

        Ooops.... typo alert... I meant RSA (I've been looking at Crypt::RSA) and it's probably time to go home....

        While I don't claim to be anywhere near an expert I do know the difference.

        Honestly!1

        Cheers

        SM





        1No, really. I promise...2





        2Ahem...
[reply]

In Section Seekers of Perl Wisdom