WebApp Sec mailing list archives
Re: Question on input validation
From: Alex Russell <alex () netWindows org>
Date: Wed, 24 Sep 2003 11:56:36 -0500
On Wednesday 24 September 2003 08:48, Scovetta, Michael V wrote:
You can certainly and and receive a salted hash of the expected (static) data, but for user-defined input, you can't hash on the client side (the strength of the hash is the secret salt).
Just to disambiguate, I think there are 2 questions here: 1.) I want to avoid the expense of input validation for values I already know. Can I use a hash/MAC to do this? 2.) I want to present a token to a user which grants him/her access to a resource without having to specify/verify a path to the resource or recalculate access perms for each view of the resource. The answer to (1) is "yes", and there's no need to ever send the hash to the client or require the client to re-calculate said hash (implying a secret sharing scheme...ick). The reasons and advantages to this are easy to work out. As for (2), I think what Noah is looking for is a system known as "capabilities". Capabilities provide both authorization and namespace lookup based on a one-time authorization computation. Subsequent request for a resource just present the capability for the resource and if the capability is still valid (the resource's "name" hasn't changed), then other auth steps are skipped. Capabilities can take up very little space and are quite quick to compute. I'm not an expert on them, but there is some literature that helps explain them. The classic among these seems to be "The Confused Deputy": http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html You could try CiteSeer for more. Regards. -- Alex Russell alex () burstlib net BD10 7AFC 87F6 63F9 1691 83FA 9884 3A15 AFC9 61B7 alex () netWindows org F687 1964 1EF6 453E 9BD0 5148 A15D 1D43 AB92 9A46
Current thread:
- Question on input validation Noah Gray (Sep 24)
- <Possible follow-ups>
- RE: Question on input validation Scovetta, Michael V (Sep 24)
- Re: Question on input validation Alex Russell (Sep 24)