OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kalyan Varma (kalyan_at_yahoo-inc.com)
Date: Thu Jul 11 2002 - 12:42:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Ok I wont talk about the GET vs POST part here. That has already been
    discussed.

    here's how you can send parameters without it getting messed with people
    in the middle.

    1. Encryption : We could always use encryption. Encrypt on one end and
    decrypt on the other end. But too many issues with that, and it could have performance
    issues

    2. Hashing : Here how you can use the good old md5 for the job.

    lets take you are sending key1=value1&key2=value2
    now just sign this using md5 ( its MD5(DATA+SECRET)). So basically do
    something like this sk=md5(value1+value2+secret)

    now send sk along with rest of the data ->
    key1=value1&key2=value2&sk=blah

    On the other end, take the values, add the secret, md5 it and then
    compare. That way no one can tamper with the parameters.

    I hope I've answer your question. :)

    thanks,

    - kalyan

    On Wed, 10 Jul 2002, Kevin Spett wrote:

    > I'm unclear as to how hashing helps. If you're talking about taking the
    > user input and hashing it and sending it just like that, it makes no sense
    > because no one can read the hashed data unless they know what the data was
    > in the first place. If you're talking about adding an unencrypted hash of
    > the data (you say "encrypting or hashing") to the request to sign it in
    > order to verify authenticity, it's inneffective because anyone can hash
    > whatever information they want. In either case, signing the data does not
    > protect against it being viewed, it merely ensures the identity of the
    > sender. Finally, applications should assume that crackers /have/ messed
    > with parameter values and use thorough data sanitization and even then
    > client-supplied values need to be treated with caution.
    >
    >
    > Kevin Spett
    > SPI Dynamics, Inc.
    > http://www.spidynamics.com/
    >
    > > You could basically pass parameters by encrypting or hashing the
    > > paramaters and then either sending them via the URL, or in form of
    > cookies.
    > > This way the cracker cant mess with the variables.
    > >
    > > Hidden form variables etc only stop script kiddies :)
    > >
    > > - kalyan
    >
    >
    >
    >