Penetration Testing mailing list archives
Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad
From: "Fricke, Gregory D." <Gregory.Fricke () GLOBALINTEGRITY COM>
Date: Tue, 19 Dec 2000 10:05:52 -0500
I agree with Mark in that, if at all possible, sensitive information should not be stored with the client. Cookies, for applications that contain sensitive client information and transactions (on-line banking etc.), should only contain data that controls the state of the session. Additionally, appropriate security controls should be in place with the cookie, i.e. proper domain, expires at the end of session, marked secure etc. This limits the possible exposure of the data to attackers who might compromise the clients system. I believe an ideal situation would be to have the information stored in a secured database controlled by the owner of the server/application. In this case no encryption is needed for the cookie. The user should receive a unique string (in the form of a cookie) upon authentication with the application. The string set in the cookie will act as the session tracking mechanism for the application, but will be set completely independent of the user who has just logged in. The string should then be stored in the database with the rest of the user's data. Subsequent requests, by the client, for his/her data should first verify that the cookie submitted by the client is the same that is registered with the server. When the user logs out, or times out, the string in the database should disappear, forcing the user to re-authenticate before accessing his/her data again. It is important to note that the cookie should be a unique string that cannot be guessed, i.e. long randomly generated numbers. This will prevent other malicious users from hijacking the session. Greg -----Original Message----- From: Mark Curphey [mailto:mark () CURPHEY COM] Sent: Monday, December 18, 2000 21:54 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: IE Cookie Crypt-Analysis - Good or Bad I guess there are several trains of thought but in general (and i'll guess in classical / traditional terms) I rarely believe you can store anything securely on a client that you don't (can't control). The client is an untrusted environment by its very nature. If your ever played with disassembles for instance, point in case. A good cryptographic implementation of course would (should) dispel this theory. I guess it is back to the old adage of how long does the secret need to remain secret, the concept of crypto periods etc. Of course there will be better implementations of encrypted cookies than others. Are all cookies encrypted with the same key for instance, that may open up the possibility of chosen clear text attacks (you know what your password was, you can get back an encrypted version) for example. You can't fit that much into 4096 bytes ! Out of interest, what do others use to encrypt cookies. A hash function would seem on the face of it a good contender, enabling you to get a fixed length out but I can see situations where it would not do some things I may want to do with a cookie. Thoughts ? -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Ruso, Anthony Sent: Monday, December 18, 2000 1:44 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Hi All, What are common methods used in decrypting/encrypting cookies. Would many of you trust the use of cookies to store - lets say - passwords and personal information. I'm trying to extract passwords from a clients website through the use of cookies. They used to store website passwords in clear text. I managed to convince them to encrypt them but how can I test their encryption choice and methods. My crypt-analysis experience is very basic. Any feedback would be greatly appreciated. Thanks
Current thread:
- [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ruso, Anthony (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Mark Curphey (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ryan Russell (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Thomas Reinke (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Chris Keladis (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Fricke, Gregory D. (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ng, Kenneth (US) (Dec 19)