Michael Blythe writes:
> In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
> using the referer header as an authentication method for CGI scripts. He
> suggests using MD5 to check whether a form's fields have been tampered
> with. I'm not sure if this would work with the wwwboard, because of the way
> the script is passing info in hidden fields, but it will work in other
> applications:
> [...]
> * in perl, the MD5 hash can be computed as follows:
> $hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency");
Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC). A more secure technique
is this:
$hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable @consistency"))
I explain the problems with the original scheme in the October issue
of Web Techniques.
Lincoln
--
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lsteinat_private Cold Spring Harbor, NY
========================================================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:15 PDT