It would seem Carl's Cookbook entry "Strong Authentication Method" could serve as a useful example in this instance.
http://www.rebol.net/cookbook/recipes/0019.html Ted ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 21, 2003 4:30 PM Subject: [REBOL] Re: reading back checksum/secure > > Carlos: > > > Is it secure to pass a checksum/secure value on a URL > > I mean when GET method is used on CGI? > > Checksum/secure is proof against reverse engineering (given > #{DE187642E6C75F60D10F29E52CAB54CDF676870D} you'd have a hard job working it backwards to the > original string). > > But it isn't safe if the item you have checksumed is easily guessable. If I > think you are using people's names, I can do a dictionary attack to find the > matching checksum: > > foreach item ["carlos" "joel" "brett" "carl" "sunanda"] [ > print [item checksum/secure item]] > > Cracked in moments! > > So be careful of the strings you decide to checksum. You might think > checksum/secure form now/precise > was safe. But it really isn't against a simple calendar attack. > > The other problem is that URLs pass through a host of intervening machines > downstream of you and your server. So: > > http://www.myserver.com/mycgi.r?username=carlos&password=#{A8C40A306844B07D7B3 > C733C3A9EF479ADAFAC1D} > > will be seen by many machines en route. To be truly safe, you'd want to make > sure that > password=#{A8C40A306844B07D7B3C733C3A9EF479ADAFAC1D} > > only works once -- on the next request it is a different checksum value. > Otherwise, someone could simply spoof you by copying the value. > > Of course, that needs some extra messing around; and whether it's worth the > bother depends on the value of your data, and how much you expect interlopers > to come and attack you, > > Sunanda > > -- > To unsubscribe from this list, just send an email to > [EMAIL PROTECTED] with unsubscribe as the subject. > -- To unsubscribe from this list, just send an email to [EMAIL PROTECTED] with unsubscribe as the subject.
