DumpsterDoggy

Articles

Search
Newest Articles
Recent Tutorials
Related Blogs
Get Microsoft Silverlight
Twitter Updates

Bookmark This

Cookies: yum, Encryption: yucky

Chris Missal, June 02, 2008

I spent some time dealing with some Cryptography today. First off... it's not fun. Second: It's confusing!

In a nut shell, here's what I was attempting to do: After a user logs on I tell the code to save a little file on their computer. It's called a "cookie". A cookie saves some text on a person's computer for that web site to read later. Other sites can't view these cookies, they're safe. I wanted to store the user name of the person that just logged in so another sub-domain (sub-section of the main web site) can read it and know that the user has passed the login process. By putting the username: cmissal directly into that file, both sites could read it, but also, a person can. If a user with enough know-how sees this, they simply overwrite "cmissal" with "sysadmin" or whatever the case may be... and Kazaam!!, they can now visit with rights of the system's administrator.

One option to fight this would be to make the login process a little more robust. Yes, maybe, but it's really not necessary. We want to keep people from trying to hack somebody else's account. But since this example contains no personal information, it doesn't warrant super tight access. This cookie will do just fine.

The easy solution is to encrypt the data so it can't be read by a human. If a person sees KSDJAF98GYQ03948THP9G8SDJPG9JQ384NG938G4JQ34J98 as their username in a tiny text file tucked away on their computer, they're probably not going to try to change it. Now a user with more than just "know-how" of cryptography may want to try to break this using a key. For every encrypted message, you need a key. The stronger they key (or higher number of bits of encryption; 8-bit, 64-bit, 128-bit, etc.), the stronger the encryption and harder it is to break.

If you secure something with 8-bit encryption, it better not be too sensitive of data. If it is 8-bit encrypted, that means there are 28 different combinations of keys; only 256. This means that in if the key hasn't been found in 128 attempts, each of the next attempts has over a 50% chance of success. I believe I've seen texts speaking of increasing from 128-bit because it isn't secure enough. A 128-bit key would require over 30 million billion billion billion itterations to give the user a 1% chance of cracking the key. I think my little cookie will be ok with 128-bit encryption.

The bad-unfun-notgood encryption comes in because I have to tell these to web sites the "secret key" so they can share this information. It sounds easy, but if it's something with which you're unfamiliar in your every day coding. It can add some gray hairs.

This article contains external links that are not affiliated with DumpsterDoggy.com.

Filed Under: Security   Cryptography   Rants  

© 2006-2010, DumpsterDoggy.com, Inc. or its affiliates