in reply to Re: Base64 Encoded cookie is giving me headaches!
in thread Base64 Encoded cookie is giving me headaches!

Here is their web page (at least the part I can release)

Each cookie contains the following fields:

Issue Time Expire Time Issuer Userid IP Address ACIGROUP Location Other Data Signature
Issue Time
The time when the cookie was issued.
Expire Time
The time when the cookie will no longer be valid.
Issuer
The name of the issuer of the cookie.
Userid
The userid represented by the cookie.
IP Address
The IP address for which the cookie is valid.
ACIGROUP
The security group from PROFS for the user. This is useful to determine if the user is a dealer or supplier.
Location
The location code for suppliers. This is not useful inside the Company.
Other Data
Other fields may be defined in the future.
Signature
The RSA encrypted MD5 digest of the rest of the cookie.

Security of the System


The security of the system resides in the use of public key cryptography to digitally sign the cookie. The issuer of the cookie computes a special checksum of the cookie (using the RSA Data Security, Inc. MD5 Message-Digest Algorithm) and then encrypts this checksum with the issuer's private key. The issuer is the only holder of the private key.

The receiver looks up the issuer's public key, and decrypts the checksum. The receiver compares this checksum with one that it computes, and compares the two. If they are equal, then:

Web Single Logon's private keys are kept on a secured server. The public key is distributed with the Web Single Logon kit. A trust relationship is established with the issuer. When the cookie is validated, and has not expired, then the identity encoded in the cookie is trusted. This establishes the logon.


Password Validation


Centralizing the logon process allows a great flexibility in maintaining a central Web password database. The Web Single Logon Password Server currently uses the PROFS systems or X.500 for non-profs users to validate logons. This gives Web Single Logon secured servers access to a base of over 95,000 users.



What does this little button do . .<Click>; "USER HAS SIGNED OFF FOR THE DAY"

Replies are listed 'Best First'.
Re: Re: Re: Base64 Encoded cookie is giving me headaches!
by chipmunk (Parson) on Mar 17, 2001 at 02:19 UTC
    Okay, here's some pseudo-code which I think is the right way to use the last value in the null-separated string of values: 
    use Some_RSA_Module;
use Digest::MD5 qw/ md5 /;

# decode base64 as before, then:

my $encrypted = substr($cookie, -64);

substr($cookie, -65) = '';      # strip the null and the security fiel
+d

my $checksum = Some_RSA_Module::unencrypt($some_public_key, $encrypted
+);

my $new_checksum = md5($cookie);

if ($new_checksum eq $checksum) {
  print "Checksums match, cookie data is valid.\n";
} else {
  print "Checksums don't match, cookie data has been tampered with.\n"
+;

}

    [download]
    Obviously, I don't know how to do the actual decryption of the security field. :)

    The other question is how the md5 hash is being generated; they could be used md5_base64 or md5_hex instead of plain md5. The length of the decrypted checksum will tell you which...

    I used substr() to get the security field, instead of splitting on nulls, because I was cautioned in the CB that the security field might contain embedded nulls itself. :)

[reply]
[d/l]

In Section Seekers of Perl Wisdom