[8200] in bugtraq
Re: Referer (was Patches for wwwboard.pl)
daemon@ATHENA.MIT.EDU (David Schwartz)
Tue Oct 13 17:32:24 1998
Date: Mon, 12 Oct 1998 14:48:19 -0700
Reply-To: David Schwartz <davids@WEBMASTER.COM>
From: David Schwartz <davids@WEBMASTER.COM>
X-To: lstein@cshl.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199810092046.QAA23659@formaggio.cshl.org>
You should also be including a timestamp and an originator IP in the hash
function. Otherwise you are vulnerable to interception and replay attacks.
If you're going to do it, you might as well do it right.
DS
> Even though I wrote this, it turns out that this isn't the best way to
> compute a message authentication code (MAC). A more secure technique
> is this:
>
> $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
> @consistency"))
>
> I explain the problems with the original scheme in the October issue
> of Web Techniques.
>
> Lincoln
>
> --
> ========================================================================
> Lincoln D. Stein Cold Spring Harbor Laboratory
> lstein@cshl.org Cold Spring Harbor, NY
> ========================================================================
>
