Re: MD5 Myths
- From: JuiceMan <jaysgeneral@xxxxxxxx>
- Date: Sun, 26 Aug 2007 17:11:53 -0700
Hmmm........Am I lying already? not a very good way to start things
off here. Sorry.
John: I think I'm mixing things/apps in my mind as I type. While I'll
fully admit this is not a "typical" implementation and use of MD5 its
been working for me.
It's "probably" more like this: I know I'm expecting today's date, I'm
expecting some other settings as well. I probably redigest what I'm
expecting and compare with what is sent by the client. If they match I
continue on. There are probably some variations maybe 1 or 2 not alot
-- that I consider. If Plan A fails then digest these other
possibilities check the recieved digest -- continue on, in a different
kind of mode. Plan C: If niether one of these above cases "work" go to
a default mode.
John: The disclaimer is that you've already put far more thought into
scrutnizing this that I've made in writing it the above is mostly from
memory. Although it's likely I will wind up diving back into this to
some degree again sometime, for the time being I'd rather not relive
all those old memories just now :)
In retrospect 80 characters seems a little on the high side it is
probably lower, and could be reduced even further.
Back then: I was looking for something that worked and I understood.
Current Day: I'm considering all possibilities but I wouldn't mind
having a solution that has minimal impact to an existing application
and gives it some more strength.
crpytographic strength? decent hash? I'm flexible.
Also what I thought then and still feel to this day(and I could be
wrong):
One of the limitations is that in using Perl/CGI and probably other
like Java from a developer standpoint you get kind of limited by what
libraries a 3rd party host on the web offers to you (and/or what
versions of these they support). Now with Perl/CGI I can certainly
upload and use my own libraries and place in a folder of my choosing.
However, sometimes with the dependices of libraries on other libraries
this really becomes a mess. So my application is about 5 files, but in
order for 1 small piece of it to work I need to have 3-4 libraries
present. MD5 was supported by my web host wahla. Current Day: the
application has grown to about 9-12 files and I have a better handle
on this. I prefer this type of authentication to cookies I must say.
So the percentages are changing now and maybe an additional 3-4 files
to keep track of is not so bad....and I'm a whole lot wiser ounce
prevention pound of cure -- might be worth the price.
I might consider looking at other cryptos/ hashes at this point with a
little more scrutiny. Thank you for the HMAC reference I might
consider using this at least pursuing it further.
On deck for me is a Java shopping cart/ eCommerce using SSL,
certificates, public/ private and all that stuff. I've done some
preliminary about a year ago. I have all the java pieces and working
protoype I just need to put it altogether and have a need -- which I
do now. I'm less familair with Java, but as my confidence and
experience grows in this area I might consider a Perl/CGI
implementation or go off in a Java kind of direction
altogether.....time will tell. Of course by this time I'll probably
have my own host on line so then I can use any *@#$% library/ version
I want. Excuse the French.
Thanks, folks. I got what I was looking for.
.
- References:
- MD5 Myths
- From: JuiceMan
- Re: MD5 Myths
- From: Joseph Ashwood
- MD5 Myths
- Prev by Date: Re: Question on Sophie Germain primes
- Next by Date: HMAC and timing
- Previous by thread: Re: MD5 Myths
- Next by thread: Re: MD5 Myths
- Index(es):
Relevant Pages
|
