Bugtraq mailing list archives

Re: Referer (was Patches for wwwboard.pl)


From: davids () WEBMASTER COM (David Schwartz)
Date: Mon, 12 Oct 1998 14:48:19 -0700


        You should also be including a timestamp and an originator IP in the hash
function. Otherwise you are vulnerable to interception and replay attacks.
If you're going to do it, you might as well do it right.

        DS

Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC).  A more secure technique
is this:

 $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
@consistency"))

I explain the problems with the original scheme in the October issue
of Web Techniques.

Lincoln

--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY
========================================================================




Current thread: