David Cantrell wrote:
> On Fri, Nov 28, 2008 at 12:30:12AM +0000, Lyle wrote:
>
>
>> I need to add a little security to one of my tracking scripts. The
>> common way to do this is to encrypt a known tracking id combined with a
>> secret password, such as md5( id . password ).
>>
>> I'm wondering if MD5 is the best way to go? I know max was talking about
>> encryption at the last meet...
>>
>
> Presumably the aim of this is so that some random person can't figure
> out what the next valid ID is? Or so that you can tell if they've
> changed the ID because the hash won't match?
>
A tracking script is called through http(s) being passed an ID and some
other data along the query string. I need to verify that this is
genuine, as simple password is no good as they will be able to pick it
up of the query string, so the idea is to pass the id and MD5( id +
password ). Then on the other side you can re-generate MD5( id +
password ) and check it matches.
> In that case, MD5 is fine. None of its current known weaknesses apply,
> and for such tiny amounts of data attacks would be Hard, provided you
> choose a strong password so they can't use a rainbow table. About 128
> bits of password (incidentally, in the literature what you've valled a
> password is normally called a salt - you are liable to confuse yourself
> and your customers if you don't call it that, as the literature
> generally uses hashes of *passwords* + salt as its examples; but I'll
> continue to call it a password in this email) is considered to be strong
> enough to protect root's password on modern Unixes.
>
You're right I mean salt and not password. MD5( id + salt )
> If your password consists of a-z, A-Z, 0-9 and
> \|,./<>?;'#:@~[]{}-_=+)(*&^%$"! (93 different characters) then you have
> log(93)/log(2) == 6.5 bits per character, so should use a string of 19
> or 20 random characters. If you use a passphrase, then remember that
> English only gives you about 1 bit per character.
>
I thought a bit was either 1 or 0 and a byte was a 8 bits which is used
to represent characters?
>> Requirements are that other languages need to be able to easily do this
>> encryption as well. Such as ASP VBscript, JScript, C#, ColdFusion, PHP,
>> Python, Ruby...
>>
>
> MD5 is a very common algorithm, and I'd be shocked if it wasn't
> available for all of those.
>
I've done some searching and MD5 is indeed available on all these. SHA1
seems to be on most, but a little trickier on some.
Although I did come across some code claiming to be an MD5 cracker...
Haven't tested it through:-
http://grahana.wordpress.com/2007/10/18/perl-md5-cracker/
Lyle
_______________________________________________
BristolBathPM mailing list
[email protected]
http://mailman.bristolbath.org/mailman/listinfo/bristolbathpm
