Re: Encrypted URL

[Kenneth Peiruza <kenneth () security gft com>]

MD5 is a Hash-Resume algorithm, not a Cipher, so you can compare two
codings IOT see if the result is the same, but there's no way to reverse
it.

So this shouldn't be usable unless you store a relation table between
"$value" and its MD5 hash on the server.

Regards

On Fri, 2004-01-30 at 14:09, B. Johannessen wrote:
> lupin wrote:
> > I've seen a couple highly secure Web Application that use encrypted url.
> > Actually they encrypt the parameter query string.
> > Example URL:
> >
> > http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c6....
> >
> > I think this is a great way to protect against parameter tampering attacks.
> > Does anybody know more about this technique? Papers etc..? 
> > How to implement it? Google didn't help me a lot?
>
> If all you're looking for is protection against query string/
> post data "tampering" just signing it should be enough. A really
> simple example in PHP (untested):
>
> ------------------------------------------------------------
> <?php
>       $secret = 'known-only-to-your-server';
>       $value = 'tamper-proof-value';
>       $sign = md5($secret . $value . $secret);
> ?>
> <input type="hidden" name="value" value="<?=$value?>">
> <input type="hidden" name="sign" value="<?=$sign?>">
> ------------------------------------------------------------
>
> Then when you receive the data, just reverse the procedure:
>
> ------------------------------------------------------------
> <?php
>       $secret = 'known-only-to-your-server';
>       $value = $_REQUEST['value'];
>       $sign = $_REQUEST['sign'];
>       if($sign != md5($secret . $value . $secret)) {
>               echo 'forget it!';
>               exit;
>       }
> ?>
> ------------------------------------------------------------
>
> If I remember correctly, Sverre H. Huseby talks about techniques
> like these in "Innocent Code" (ISBN: 0470857447). I would highly
> recommended that book to anyone interested in webapp security.
>
>
>       Bob