Re: Referer (was Patches for wwwboard.pl)

From: David Schwartz (davidsat_private)
Date: Mon Oct 12 1998 - 14:48:19 PDT

Next message: Mike: "Re: Redhat man exploit"

Previous message: Chris Zagar: "False security in switches and a little more Rconsole."
Maybe in reply to: Lincoln Stein: "Referer (was Patches for wwwboard.pl)"
Next in thread: Kevin Littlejohn: "Re: Referer (was Patches for wwwboard.pl)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        You should also be including a timestamp and an originator IP in the hash
function. Otherwise you are vulnerable to interception and replay attacks.
If you're going to do it, you might as well do it right.

        DS

> Even though I wrote this, it turns out that this isn't the best way to
> compute a message authentication code (MAC).  A more secure technique
> is this:
>
>  $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
> @consistency"))
>
> I explain the problems with the original scheme in the October issue
> of Web Techniques.
>
> Lincoln
>
> --
> ========================================================================
> Lincoln D. Stein                           Cold Spring Harbor Laboratory
> lsteinat_private                                   Cold Spring Harbor, NY
> ========================================================================
>

Next message: Mike: "Re: Redhat man exploit"
Previous message: Chris Zagar: "False security in switches and a little more Rconsole."
Maybe in reply to: Lincoln Stein: "Referer (was Patches for wwwboard.pl)"
Next in thread: Kevin Littlejohn: "Re: Referer (was Patches for wwwboard.pl)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:28 PDT