Re: Re: Re: Re: Re: Ecrypting passwords

in reply to Re: Re: Re: Re: Ecrypting passwords
in thread Ecrypting passwords

Good description of Digest encrytption from what I remember about it. I'd just like to add a slight addition though..

If I remember correctly from what I read in Applied Cryptography (My copy is currently on loan, alas) if required a nonce can be strengthened by adding an accurate timestamp, request counter, or other non-repeating series.

By using Digest::MD5::md5_hex("$user:$realm:$password:$series_id") as the nonce, and keeping track of 'used' nonces and rejecting them it stops the man-in-the-middle even being able to use replay attacks to see those pages that just flew past them.

After all, would you really want someone to replay your entire session for shutting down your database server when they so choose?

Comment on Re: Re: Re: Re: Re: Ecrypting passwords Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: Ecrypting passwords by tilly (Archbishop) on Oct 06, 2003 at 14:11 UTC
That is what I meant by the phrase, The vulnerability to things like replay attacks is controllable on the server side in how it produces and verifies what the nonce was. However it is good to make it clear how you avoid replays, and why you would want to.	[reply]

In Section Seekers of Perl Wisdom