in reply to Re: Re: Using MD5 and the theory behind it
in thread Using MD5 and the theory behind it

Your method is not 'totally secure' because you have to store the nonce in a database. If you generate a SID from an MD5 digest based on user authentication information, this hash does not have to be stored. It can be generated when the cookie is inspected.

Also if you run a large site with millions of users, your source of entropy can be depleated quickly, negating any security you would have gained.

  • Comment on Re: Re: Re: Using MD5 and the theory behind it

Replies are listed 'Best First'.
Re: Re: Re: Re: Using MD5 and the theory behind it
by gildir (Pilgrim) on Jan 11, 2001 at 14:02 UTC
    That's really an academic debate. I should argue that your scheme depends on security of MD5 algorithm and therefore cannot be more secure than MD5. History shows that even cryptographic hashes has some problems, and if I recall correctly, some of the MD-series hashes did have problems.

    OTOH, my scheme depends only on security of server, and if attacker can read data from server's database, it will not look at nonce, but directly at the target data stored here. Authentication is here not only for authentication itself, but for data protection, and there is no point making authentication stronger than protection of data itself.

    And if I have large site, my entropy pool gets exhausted by SSL subsystem in the firts place, so I will need HW crypto-card (RND-generator) anyway.

[reply]

In Section Seekers of Perl Wisdom