WebApp Sec mailing list archives
Re: Using SSL private key for cookie's HMAC
From: Andrew Steingruebl <asteingruebl () cccis com>
Date: Fri, 3 Sep 2004 10:55:55 -0500
On Thu, Aug 26, 2004 at 11:42:36PM -0500, Simon Zuckerbraun wrote:
I'm pondering a design question regarding a web application that is to operate over SSL. We want to include an HMAC in our cookies to prevent tampering. To produce an HMAC, the server must be configured with a private key. Since the website operates with SSL, the server already *has* a private key available: the private key of its SSL certificate. Is there any harm in using this same private key for producing the HMACs as well?
You probably don't really want an HMAC. HMACs are useful when both sides of a convesation share a key and want to check the validity of a piece of data. What you probably really want is to one-way hash a cookie value with some other value known only to your server and then check the cookie returned by the user. Best practices usually dictate using a key for one purpose only so I wouldn't recommend reusing your private key for this purpose. Is there actually data in the cookie, or is it just a session identifier? If its just an identifier than you don't really need a signature on it. If it does contain data then signing it somehow probably can't be all bad. I think we'd need to see more of your requirements/design before we could give more advice. -- Andy Steingruebl
Current thread:
- Using SSL private key for cookie's HMAC Simon Zuckerbraun (Aug 27)
- Re: Using SSL private key for cookie's HMAC Andrew Steingruebl (Sep 05)
- Re: Using SSL private key for cookie's HMAC Jeff Williams (Sep 05)
- Re: Using SSL private key for cookie's HMAC Adam Shostack (Sep 05)
- <Possible follow-ups>
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 05)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 07)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 07)
- Webserver problems John Fisher (Sep 09)
- RE: Webserver problems Dinis Cruz (Sep 10)
- Re: Webserver problems Mike Kalinovich (Sep 11)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)