Penetration Testing mailing list archives
Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad
From: Mark Curphey <mark () CURPHEY COM>
Date: Mon, 18 Dec 2000 18:54:16 -0800
I guess there are several trains of thought but in general (and i'll guess in classical / traditional terms) I rarely believe you can store anything securely on a client that you don't (can't control). The client is an untrusted environment by its very nature. If your ever played with disassembles for instance, point in case. A good cryptographic implementation of course would (should) dispel this theory. I guess it is back to the old adage of how long does the secret need to remain secret, the concept of crypto periods etc. Of course there will be better implementations of encrypted cookies than others. Are all cookies encrypted with the same key for instance, that may open up the possibility of chosen clear text attacks (you know what your password was, you can get back an encrypted version) for example. You can't fit that much into 4096 bytes ! Out of interest, what do others use to encrypt cookies. A hash function would seem on the face of it a good contender, enabling you to get a fixed length out but I can see situations where it would not do some things I may want to do with a cookie. Thoughts ? -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Ruso, Anthony Sent: Monday, December 18, 2000 1:44 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Hi All, What are common methods used in decrypting/encrypting cookies. Would many of you trust the use of cookies to store - lets say - passwords and personal information. I'm trying to extract passwords from a clients website through the use of cookies. They used to store website passwords in clear text. I managed to convince them to encrypt them but how can I test their encryption choice and methods. My crypt-analysis experience is very basic. Any feedback would be greatly appreciated. Thanks
Current thread:
- [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ruso, Anthony (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Mark Curphey (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ryan Russell (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Thomas Reinke (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Chris Keladis (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Fricke, Gregory D. (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ng, Kenneth (US) (Dec 19)