Penetration Testing mailing list archives
Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad
From: Thomas Reinke <reinke () E-SOFTINC COM>
Date: Tue, 19 Dec 2000 12:41:32 -0500
"Ruso, Anthony" wrote:
Hi All, What are common methods used in decrypting/encrypting cookies. Would many of you trust the use of cookies to store - lets say - passwords and personal information. I'm trying to extract passwords from a clients website through the use of cookies. They used to store website passwords in clear text. I managed to convince them to encrypt them but how can I test their encryption choice and methods. My crypt-analysis experience is very basic. Any feedback would be greatly appreciated.
One of the best solutions is to generate a session ID for each unique visitor. This maps on the server side to data you keep for the session. This provides for protection of sensitive data, by keeping it on the server, and never actually sending it over the web. To prevent the guessing of the session ID by someone else, a good scheme is to send a second bit of either random data or hash on known data along with the session id. By validating both the session ID and this random/hash data against what is on the server, you prevent the "guessing" of the session by unauthorized users that would brute force their way into a valid session ID. The above is potentially overkill. Security is really dependent on the sensitivity of what you are trying to secure. Is it inappropriate to send userids and passwords in cookies? Depends - are you for example simply restricting access to something like a news service where there is no customer data? Then perhaps your solution is to simply use HTTP ACL. Or to use a DES encryption of the userid/password into the cookie, which can then be decrypted thereafter. I'd advocate something along the first line if you are doing anything with financial data or personal information. The second solution is more appropriate if you simply want to restrict access, but where a breach doesn't really hurt any. FWIW, Cheers, Thomas
Thanks
-- ------------------------------------------------------------ Thomas Reinke Tel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com Publishers of SecuritySpace http://www.securityspace.com
Current thread:
- [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ruso, Anthony (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Mark Curphey (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ryan Russell (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Thomas Reinke (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Chris Keladis (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Fricke, Gregory D. (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ng, Kenneth (US) (Dec 19)