WebApp Sec mailing list archives
RE: Encrypted cookies
From: "Brokken, Allen P." <BrokkenA () missouri edu>
Date: Thu, 10 Jan 2008 15:02:01 -0600
Since the hash vector is username, password, and date it's fairly easy to do known plaintext+ciphtertext attacks against the cookie to learn what the actual algorithm is for creating the cookie. Once you've got that you should be able to do pretty much anything you want to crack the app itself. You mention a long story, so I won't go on about the dangers of developers rolling their own auth/crypto/session management rather than using something trusted. This clearly has layer 8 or 9 issues involved. An alternate approach might be to offload the authentication/generation of the cookie to a known good and security tested system like Shibboleth rather than rolling their own authentication/authorization. It does things similarly, but isn't relying on the developer to have figured out the best way to generate these things and keep them secure. Another alternative would be to consider basic authentication with SSL. It's not pretty, and has its own issues, but again isn't dependent on the end developer rolling all their own auth/crypto. Allen Brokken, Principal Systems Security Analyst Information Security and Account Management Division of Information Technology, University of Missouri brokkena () missouri edu (573)884-8708 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ron Sent: Thursday, January 10, 2008 10:26 AM To: webappsec () securityfocus com Subject: Encrypted cookies Somebody here is developing a Web application that requires user logins, but that is unable to store session information on the server (don't ask me why, it's a long story). So here's what they propose: to take the username, hash of the password, and date the user logged in, encrypt them with a strong encryption algorithm, and store them in a cookie (along with a hash to ensure integrity). My question is, assuming a proper encryption algorithm/eky are chosen, can anybody think of a problem that this will create that sessions don't already have (namely, replay attacks)? I've thought about this for over a day, and I can't think of any obvious problems, but I could be missing something. Thanks! Ron ------------------------------------------------------------------------ - Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------ - ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Encrypted cookies Ron (Jan 10)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)
- Re: Encrypted cookies Andy Steingruebl (Jan 11)
- Re: Encrypted cookies Andy Steingruebl (Jan 10)
- Re: Encrypted cookies Lucas Oman (Jan 10)
- RE: Encrypted cookies Brokken, Allen P. (Jan 10)
- Re: Encrypted cookies Orlin Gueorguiev (Jan 11)
- <Possible follow-ups>
- Re: Encrypted cookies Rico Secada (Jan 10)
- Fw: Re: Encrypted cookies Rico Secada (Jan 11)
- Re: Fw: Re: Encrypted cookies Ron (Jan 15)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)