Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad

[Mark Curphey <mark () CURPHEY COM>]

I guess there are several trains of thought but in general (and i'll guess
in classical / traditional terms) I rarely believe you can store anything
securely on a client that you don't (can't control). The client is an
untrusted environment by its very nature. If your ever played with
disassembles for instance, point in case. A good cryptographic
implementation of course would (should) dispel this theory.

I guess it is back to the old adage of how long does the secret need to
remain secret, the concept of crypto periods etc. Of course there will be
better implementations of encrypted cookies than others. Are all cookies
encrypted with the same key for instance, that may open up the possibility
of chosen clear text attacks (you know what your password was, you can get
back an encrypted version) for example. You can't fit that much into 4096
bytes !

Out of interest, what do others use to encrypt cookies. A hash function
would seem on the face of it a good contender, enabling you to get a fixed
length out but I can see situations where it would not do some things I may
want to do with a cookie. Thoughts  ?

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Ruso, Anthony
Sent: Monday, December 18, 2000 1:44 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad


Hi All,

        What are common methods used in decrypting/encrypting cookies. Would
many of you trust the use of cookies to store - lets say - passwords and
personal information. I'm trying to extract passwords from a clients website
through the use of cookies. They used to store website passwords in clear
text. I managed to convince them to encrypt them but how can I test their
encryption choice and methods. My crypt-analysis experience is very basic.
Any feedback would be greatly appreciated.

Thanks