Re: Encrypted URL

["B. Johannessen" <bob () h db org>]

lupin wrote:
> I've seen a couple highly secure Web Application that use encrypted url.
> Actually they encrypt the parameter query string.
> Example URL:
>
> http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c6....
>
> I think this is a great way to protect against parameter tampering attacks.
> Does anybody know more about this technique? Papers etc..? 
> How to implement it? Google didn't help me a lot?

If all you're looking for is protection against query string/
post data "tampering" just signing it should be enough. A really
simple example in PHP (untested):

------------------------------------------------------------
<?php
        $secret = 'known-only-to-your-server';
        $value = 'tamper-proof-value';
        $sign = md5($secret . $value . $secret);
?>
<input type="hidden" name="value" value="<?=$value?>">
<input type="hidden" name="sign" value="<?=$sign?>">
------------------------------------------------------------

Then when you receive the data, just reverse the procedure:

------------------------------------------------------------
<?php
        $secret = 'known-only-to-your-server';
        $value = $_REQUEST['value'];
        $sign = $_REQUEST['sign'];
        if($sign != md5($secret . $value . $secret)) {
                echo 'forget it!';
                exit;
        }
?>
------------------------------------------------------------

If I remember correctly, Sverre H. Huseby talks about techniques
like these in "Innocent Code" (ISBN: 0470857447). I would highly
recommended that book to anyone interested in webapp security.


        Bob

--
-=[ B. Johannessen | bob () db org -=- http://db.org/ | +4797152009 ]=-
-=[ Mail & Spam - News, Drafts & Standards - http://db.org/blog/ ]=-
-=[ On the Origin Of Spam: Spam Statistics - http://db.org/spam/ ]=-