Penetration Testing mailing list archives

Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad

From: Thomas Reinke <reinke () E-SOFTINC COM>
Date: Tue, 19 Dec 2000 12:41:32 -0500

"Ruso, Anthony" wrote:


Hi All,

        What are common methods used in decrypting/encrypting cookies. Would
many of you trust the use of cookies to store - lets say - passwords and
personal information. I'm trying to extract passwords from a clients website
through the use of cookies. They used to store website passwords in clear
text. I managed to convince them to encrypt them but how can I test their
encryption choice and methods. My crypt-analysis experience is very basic.
Any feedback would be greatly appreciated.


One of the best solutions is to generate a session ID for each
unique visitor. This maps on the server side to data you keep
for the session.  This provides for protection of sensitive
data, by keeping it on the server, and never actually sending
it over the web.  To prevent the guessing of the session ID by
someone else, a good scheme is to send a second bit of either
random data or hash on known data along with the session id.
By validating both the session ID and this random/hash data
against what is on the server, you prevent the "guessing"
of the session by unauthorized users that would brute force
their way into a valid session ID.

The above is potentially overkill. Security is really dependent
on the sensitivity of what you are trying to secure.  Is it
inappropriate to send userids and passwords in cookies? Depends -
are you for example simply restricting access to something
like a news service where there is no customer data? Then perhaps
your solution is to simply use HTTP ACL. Or to use a DES
encryption of the userid/password into the cookie, which can
then be decrypted thereafter.

I'd advocate something along the first line if you are doing
anything with financial data or personal information.  The second
solution is more appropriate if you simply want to restrict
access, but where a breach doesn't really hurt any.

FWIW, Cheers, Thomas


Thanks


--
------------------------------------------------------------
Thomas Reinke                            Tel: (905) 331-2260
Director of Technology                   Fax: (905) 331-2504
E-Soft Inc.                         http://www.e-softinc.com
Publishers of SecuritySpace     http://www.securityspace.com

Current thread:

[PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ruso, Anthony (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Mark Curphey (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ryan Russell (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Thomas Reinke (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Chris Keladis (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Fricke, Gregory D. (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ng, Kenneth (US) (Dec 19)