Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Re: Re: Re: Re: Ecrypting passwords

by Molt (Chaplain)
on Oct 06, 2003 at 10:42 UTC ( #296899=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Re: Re: Ecrypting passwords
in thread Ecrypting passwords

Good description of Digest encrytption from what I remember about it. I'd just like to add a slight addition though..

If I remember correctly from what I read in Applied Cryptography (My copy is currently on loan, alas) if required a nonce can be strengthened by adding an accurate timestamp, request counter, or other non-repeating series.

By using Digest::MD5::md5_hex("$user:$realm:$password:$series_id") as the nonce, and keeping track of 'used' nonces and rejecting them it stops the man-in-the-middle even being able to use replay attacks to see those pages that just flew past them.

After all, would you really want someone to replay your entire session for shutting down your database server when they so choose?


Comment on Re: Re: Re: Re: Re: Ecrypting passwords
Download Code
Re: Re: Re: Re: Re: Re: Ecrypting passwords
by tilly (Archbishop) on Oct 06, 2003 at 14:11 UTC
    That is what I meant by the phrase, The vulnerability to things like replay attacks is controllable on the server side in how it produces and verifies what the nonce was.

    However it is good to make it clear how you avoid replays, and why you would want to.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://296899]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (2)
As of 2014-07-13 00:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (243 votes), past polls