Re^2: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

This is certainly a fair comment...

As far as I understand MD5 (or SHA1) are simply one-way functions with no key involved. I would like to use something that ensures the validity of the source of the cookie data - and digital signing with a private key would seem - to me at least - to be the way forward. I have not yet put any thought into what asymmetric enryption scheme to use... 3DES v. AES etc.

To resummarise / clarify the requirements:

Authentication status

Target id

.... plus a bunch of other values

The mod_perl app has no access to the core source data used by the frontend app.

I don't really care if a man-in-the-middle can read the cookie values, but I do absolutely care that only the web frontend app thingummyjob gets the relevant dynamic content in response...

Apologies if I am still not making myself clear!!

Cheers

Comment on Re^2: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

Replies are listed 'Best First'.
Re^3: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals) by waswas-fng (Curate) on Nov 05, 2004 at 20:51 UTC
`Mod_perl side: use MD5; $date = get_todays_shortdate(); # 11/05/2004 $Private_secret = "This is my private server password" $data = "this is my signed data." $digest = MD5->hash("$date:$Private_secret:$data");` [download] Send the digest and the data over to the other server and it knows the Private_secret and can verify that the data has been signed by constructing the same string calling md5->hash on it and comparing the two digests... If the hacker does not know the private_secret or the layout of the digest string then they cant forge the $data sig. -Waswas	[reply] [d/l]
Re^4: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals) by smullis (Pilgrim) on Nov 05, 2004 at 20:58 UTC
Aha! Great idea... Cheers SM	[reply]
Re^3: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals) by hardburn (Abbot) on Nov 05, 2004 at 18:46 UTC
It sounds like you've got the right idea, but you might want to read up a little more on cryptography. AES and DES are not asymetric algorithms. I suggest reading Applied Cryptography by Bruce Schneier. Or maybe Practical Cryptography by the same author, but I haven't looked at that one yet. "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.	[reply]
Re^4: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals) by smullis (Pilgrim) on Nov 05, 2004 at 20:55 UTC
Ooops.... typo alert... I meant RSA (I've been looking at Crypt::RSA) and it's probably time to go home.... While I don't claim to be anywhere near an expert I do know the difference. Honestly!¹ Cheers SM ¹No, really. I promise...² ²Ahem...	[reply]