I'm trying to implement the protocol used at http://www.cse.msu.edu/~alexliu/publ...kie/cookie.pdf to
create cookies that can't be forged. I got everything working, except
I have run into one problem:
I don't know how to get the session key used for the encryption. I'm
completely new to SSL and I just installed it on my server, and got it
all set up that it works using http://mydomain.com. So that said, to
my understanding, using public/private key encryption, the server and
client negotiate a key to encrypt data with from that point on, and
that this doesn't change for a client, but it unique for every client.
It seems like that cookie protocol requires that you get that session
key and store it in the cookie to verify that the cookie hasn't been
stolen.
I guess my question is really that I just want to make sure I am
understanding what they mean by session key properly, and how you
would get it. I figured I should have access to it since I am the
server.
-Dustin 3  7052 
On May 23, 9:37 pm, ast3...@gmail.c om wrote:
I'm trying to implement the protocol used athttp://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdfto
create cookies that can't be forged. I got everything working, except
I have run into one problem:
I don't know how to get the session key used for the encryption. I'm
completely new to SSL and I just installed it on my server, and got it
all set up that it works usinghttp://mydomain.com. So that said, to
my understanding, using public/private key encryption, the server and
client negotiate a key to encrypt data with from that point on, and
that this doesn't change for a client, but it unique for every client.
It seems like that cookie protocol requires that you get that session
key and store it in the cookie to verify that the cookie hasn't been
stolen.
I guess my question is really that I just want to make sure I am
understanding what they mean by session key properly, and how you
would get it. I figured I should have access to it since I am the
server.
-Dustin
it's not the SSL symmetric key, its the php session key, the PHPSESSID
I guess I don't really understand then. I was under the impression
that it was the symmetric key because of section 2.3 in the article.
------------QUOTE------------
Fu's cookie protocol is vulnerable to replay attacks, which could be
launched in the following two steps. The first step is to steal a
cookie that a server issued to another client. An attacker may have
several ways to steal a cookie from someone else. For example, if a
client stores a cookie in his hard disk, an attacker may steal it
using Tro jans, worms, or viruses. An attacker may steal a cookie by
launching a Denning-Sacco Attack [3]. In such an attack, an attacker
first collects a large number of messages that are encrypted by the
same SSL session key, and then obtains the SSL session key using
various methods. In the second step of a replay attack, the attacker
initiates an SSL connection with the server and replays a stolen
cookie that has not yet expired. Consequently, the server incorrectly
authenticates the attacker as the spoofed client, and allows the
attacker to access the spoofed client's account.
To counter replay attacks, we propose to add the SSL session key into
the keyed hash message authentication code of a cookie, i.e., to use
HMAC(username|e xpiration name|data|sessi on key, sk) as the keyed-hash
message authentication code of each cookie. Therefore, a cookie
becomes session specific. Even if an attacker steals a cookie, he
cannot successfully replay it since the session key is known only to a
legitimate client and the server that creates the cookie.
------------QUOTE------------
What I don't understand is how using the PHPSESSID would make it
anymore secure. You could still replay the cookies if you had physical
access to them, which I thought was what using the session key was
trying to prevent.
On May 24, 11:44 am, ast3...@gmail.c om wrote:
I guess I don't really understand then. I was under the impression
that it was the symmetric key because of section 2.3 in the article.
------------QUOTE------------
Fu's cookie protocol is vulnerable to replay attacks, which could be
launched in the following two steps. The first step is to steal a
cookie that a server issued to another client. An attacker may have
several ways to steal a cookie from someone else. For example, if a
client stores a cookie in his hard disk, an attacker may steal it
using Tro jans, worms, or viruses. An attacker may steal a cookie by
launching a Denning-Sacco Attack [3]. In such an attack, an attacker
first collects a large number of messages that are encrypted by the
same SSL session key, and then obtains the SSL session key using
various methods. In the second step of a replay attack, the attacker
initiates an SSL connection with the server and replays a stolen
cookie that has not yet expired. Consequently, the server incorrectly
authenticates the attacker as the spoofed client, and allows the
attacker to access the spoofed client's account.
To counter replay attacks, we propose to add the SSL session key into
the keyed hash message authentication code of a cookie, i.e., to use
HMAC(username|e xpiration name|data|sessi on key, sk) as the keyed-hash
message authentication code of each cookie. Therefore, a cookie
becomes session specific. Even if an attacker steals a cookie, he
cannot successfully replay it since the session key is known only to a
legitimate client and the server that creates the cookie.
------------QUOTE------------
What I don't understand is how using the PHPSESSID would make it
anymore secure. You could still replay the cookies if you had physical
access to them, which I thought was what using the session key was
trying to prevent.
no no you are right, sorry, I just read that, I will read the pdf
later
using this method would make it more secure, it begs the question why
include the session key rather than just a bit of it, and also how
does php get hold of this key as apache deals with the encryption of
the session, but as I say, Ill have to read it later, sorry to have
come back so quickly with a rubbish reply! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: ojorus |
last post by:
Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser...
|
by: Matt Smith |
last post by:
Please oh please oh please can someone with some P3P knowledge help me out?
I'm aware that this isn't strictly an ASP or IIS issue but the SSL groups
listed on my news server appear abandoned and since I've been coming to
these groups I'm sure I've seen many people ask and answer SSL related
questions. So here goes:
I've recently had a shared SSL enabled for my site to use, but am having
enormous difficulty in incorporating it into my...
|
by: |
last post by:
Please help.
After a number of wrong turns and experiments I need advice on login
management system to secure our web pages without inconveniencing our
visitors or our internal staff.
What I need:
A system whereby the user only has to register ONCE and he will have
automatic entry to ANY page without havinto to RE-LOGIN even if he comes in
|
by: |
last post by:
Which of these scenarios is better:
A
--
User Registers and is returned to the login screen to test his new username
ie (email address). A login script checks user name against database.
and asigns him a cookie id with an expiration date 30 days in the future
from Date(Now). He is automaticaly redirected to his initial requested
target URL.
|
by: Ik Ben Het |
last post by:
Hello,
I posted a simular question in the "IIS Security" group but it think it
is more usefull to post it here.
I want to do something very simpel. Make a part of my website available
only for users with a username and password. The site is mainly ASP
based. The webserver is an IIS6 and I do NOT have access to server
settings (session timeout, security,...).
| | |
by: Goober |
last post by:
I have an application where we have a limited number of users and a set
requirement for web access. An app that I have inherited uses cookies to
set certain values (i.e. what would correspond to session variables in
regular ASP) that we use to run reports from a SQL database and display them
in a web browser.
In doing some testing, I noticed that the cookies would remain there for
previous used (if I signed into our app as user 1 and...
|
by: Cheung, Jeffrey Jing-Yen |
last post by:
I have a windows form application that generates a request, downloads an image, and waits the user
to enter in login info. Unfortunately, this image is dynamic and based on session data. I have
read documents on the CookieCollection property of HttpWebRequest. Currently, I have the
functionality in my code to be able to accept cookies, and return them upon a new HttpWebRequest;
however, upon further inspection of the returning...
|
by: Bruno |
last post by:
I have a feature that is hosted on a different domain from the primary one
in a frame, and need to retain values in a cookie.
example: A web page at one.com contains a frame which has a page hosted at
two.com
If I view the frameset from one.com in Firefox, all works well with the
content from two.com. But if trying to view this using IE (with standard
security settings), the cookie set by two.com is not accessible.
|
by: Will |
last post by:
Is there a good article - or maybe a good chapter in a book - that someone
can recommend on the topic of how to make cookie handling secure?
I'm interested in common techniques for:
- encrypting the cookie
- verifying integrity of the cookie
- organization of different cookie types, and typical entities maintained in
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
