Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^2: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

by smullis (Pilgrim)
on Nov 05, 2004 at 17:58 UTC ( #405565=note: print w/ replies, xml ) Need Help??


in reply to Re: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
in thread [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)

This is certainly a fair comment...

As far as I understand MD5 (or SHA1) are simply one-way functions with no key involved. I would like to use something that ensures the validity of the source of the cookie data - and digital signing with a private key would seem - to me at least - to be the way forward. I have not yet put any thought into what asymmetric enryption scheme to use... 3DES v. AES etc.

To resummarise / clarify the requirements:

    Certain key / value pairs need to be passed from a Windows based frontend web app to a mod_perl based app.
    Such as:
      Authentication status
      Target id
      .... plus a bunch of other values
    The mod_perl app has no access to the core source data used by the frontend app.
    I don't really care if a man-in-the-middle can read the cookie values, but I do absolutely care that only the web frontend app thingummyjob gets the relevant dynamic content in response...

Apologies if I am still not making myself clear!!

Cheers

SM


Comment on Re^2: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
Re^3: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
by hardburn (Abbot) on Nov 05, 2004 at 18:46 UTC

    It sounds like you've got the right idea, but you might want to read up a little more on cryptography. AES and DES are not asymetric algorithms. I suggest reading Applied Cryptography by Bruce Schneier. Or maybe Practical Cryptography by the same author, but I haven't looked at that one yet.

    "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

      Ooops.... typo alert... I meant RSA (I've been looking at Crypt::RSA) and it's probably time to go home....

      While I don't claim to be anywhere near an expert I do know the difference.

      Honestly!1

      Cheers

      SM





      1No, really. I promise...2





      2Ahem...
Re^3: [OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)
by waswas-fng (Curate) on Nov 05, 2004 at 20:51 UTC
    Mod_perl side: use MD5; $date = get_todays_shortdate(); # 11/05/2004 $Private_secret = "This is my private server password" $data = "this is my signed data." $digest = MD5->hash("$date:$Private_secret:$data");
    Send the digest and the data over to the other server and it knows the Private_secret and can verify that the data has been signed by constructing the same string calling md5->hash on it and comparing the two digests... If the hacker does not know the private_secret or the layout of the digest string then they cant forge the $data sig.


    -Waswas

      Aha!

      Great idea...


      Cheers

      SM

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://405565]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2014-12-28 12:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (181 votes), past polls