Re: Web Site Decrypting

From: DaveK (no.spam@my.mailbox.invalid)
Date: 02/12/03


From: "DaveK" <no.spam@my.mailbox.invalid>
Date: Wed, 12 Feb 2003 00:00:09 -0000


"Vlad Tsyrklevich" <root@127.0.0.1> wrote in message
news:pan.2003.02.08.17.39.10.788422.182@127.0.0.1...
> On Sat, 08 Feb 2003 08:07:02 -0800, Scott wrote:
>
> > Good Day,
>
> Hello.
>
> > I am going to encrypt the parms that I pass around on my website for
> > page-to-page communication. (i.e. www.blahblah.com?num=FD8SA66F98S). It
> > would be painfully obvious to most what value I was encrypting (order
> > no.).
> >
> > Would knowing the clear text value AND the encrypted value help someone
> > learn my encrypting key?
>
> Yes, you can encrypt their password with their password as the key and
> that will make stop that issue :-).

Best thing would be to encrypt a session key with the pw (or a hash of it)
as a symmetric key and let it be decrypted - or not - at the user's end by
using the pw again.

> > I use a fairly standard encrypting method set to 128-bit.
>
> You might want to use POST method instead of GET because it's much safer
> (ie. no paramater tampering)

Nonsense. It's as easy to forge a POST as it is to rewrite the HTML of a
webpage to tamper with the form and disable the javascript parameter
validation. Never trust anything you receive from a client.

      DaveK

--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD