[Nitro] two way crypt function
interfecus at gmail.com
Tue Nov 13 05:29:43 EST 2007
On Sunday 11 November 2007 14:24:54 Trans wrote:
> On Nov 10, 5:23 pm, Timothy <interfe... at gmail.com> wrote:
> > HMAC is not appropriate for this! HMAC is for authentication over a
> > network, not for encryption.
> Currently authentication is all George is doing and that's what I was
> suggesting it for. Also, HMAC is a part of OpenSSL.
> I think if you go so far as to enrypt cookies, you should consider
> carefully if you should be using cookies to begin with. Also don't
> bother encrypting any cookie that doesn't really need to be. I
> couldn't care less if anyone finds out my shoe size ;)
> Nitro-general mailing list
> Nitro-general at rubyforge.org
HMAC would be suitable for authentication of a message but how does adding it
to cookies improve over using a single, random session id cookie and storing
all sensitive data in a session store? Why would you want to authenticate
messages to yourself when you could just keep them in your sight?
I'm aware that for some small things it could be advantageous to avoid a
roundtrip to a database due to frequent use but it's these same, frequently
used pieces of data that will be expensive to verify repeatedly. It is common
to see user preferences in cookies because the user cannot do any harm by
changing them. Such applications should assume that the user might do so.
Anything more sensitive should be kept serverside.
More information about the Nitro-general