Cookie encryption?

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Walter Sobchak

    Cookie encryption?

    The connection is ssl encrypted and I need to write some sensitive
    information in a cookie. I'd like to encrypt the cookie on the client so
    it could be decrypted later on the server.

    1. If I use a symmetric algorithm how do I send the encryption key?
    2. Is there any asymmetric algorithm that doesn't have an impact on
    performance?
    3. Is there a difference in writing cookies with http an https?
    I think https in that case doesn't help.

    Thanks in advance for any suggestions.
  • Doug Miller

    #2
    Re: Cookie encryption?

    In article <g990ds$1e5$2@n ews.metronet.hr >, Walter Sobchak <genijalac@yaho o.comwrote:
    >The connection is ssl encrypted and I need to write some sensitive
    >information in a cookie. I'd like to encrypt the cookie on the client so
    >it could be decrypted later on the server.
    Posting this question in a javascript newsgroup implies that you intend to
    write your encryption algorithm in javascript.

    Consider that doing so exposes your encryption algorithm, including the
    encryption key, to anyone with the wit to click View Source.

    Does this seem like a good plan?


    --
    Regards,
    Doug Miller (alphageek-at-milmac-dot-com)

    Join the UseNet Improvement Project: killfile Google Groups.


    Get a copy of my NEW AND IMPROVED TrollFilter for NewsProxy/Nfilter
    by sending email to autoresponder at filterinfo-at-milmac-dot-com
    You must use your REAL email address to get a response.

    Download Nfilter at http://www.milmac.com/np-120.exe

    Comment

    • Bart Van der Donck

      #3
      Re: Cookie encryption?

      Walter Sobchak wrote:
      The connection is ssl encrypted and I need to write some sensitive
      information in a cookie. I'd like to encrypt the cookie on the client so
      it could be decrypted later on the server.
      I would usually not perform such a task at the client. The server
      could both encrypt the value and set the cookie via a HTTP-header
      (still better than document.cookie IMHO).
      1. If I use a symmetric algorithm how do I send the encryption key?
      If you would use javascript, there is no other choice than making the
      key/salt available as plaintext for the script in the web page; thus
      making it interceptable for the viewer of the page. I think there can
      be little doubt that a server-side solution would be better in this
      case.
      2. Is there any asymmetric algorithm that doesn't have an impact on
      performance?
      Encryption is memory-intensive by nature; but I wouldn't care much
      about only one en-/decrypt action. The difficuly for asymmetric
      cryptography is that there are both the private key (encrypt) and the
      public key (decrypt).

      A somewhat safe strategy could be to make only the public key
      available to the client; so he can only decrypt the cookie with it.
      But I believe this would be the opposite of your plan: when you want
      to encrypt asymmetrically in javascript, you always need the private
      key.

      But I think that symmetric cryptography is more recommended in your
      scenario (and preferably done at the server).
      3. Is there a difference in writing cookies with http an https?
      I think https in that case doesn't help.
      HTTPS secures the transmission of data along the line, but nothing
      more. You are only reasonably safe that nobody can intercept data
      between server and client. Most security problems do not relate to
      this area.

      --
      Bart

      Comment

      • Mike Duffy

        #4
        Re: Cookie encryption?

        spambait@milmac .com (Doug Miller) wrote in
        news:mjUtk.1935 4$cW3.6486@nlpi 064.nbdc.sbc.co m:
        In article <g990ds$1e5$2@n ews.metronet.hr >, Walter Sobchak
        <genijalac@yaho o.comwrote:
        >
        Consider that doing so exposes your encryption algorithm, including
        the encryption key, to anyone with the wit to click View Source.
        >
        Does this seem like a good plan?

        You could ask the end user for a password. Then you end up with something
        that can only be decrypted by the client. You would need to prompt the user
        again for the password when it is needed to decrypt the cookie.

        Comment

        • micah

          #5
          Re: Cookie encryption?

          i think it'd be prudent to change your approach on this one, since
          you're running into a fundamental roadblock: you want to put secure
          info somewhere that's inherently insecure.

          personally, i'd just write the data to the server and associate it
          with that user's account. if there isn't a logged-in user involved in
          this operation then... well... what sensitive information could/would
          you give to someone you haven't authenticated?

          -micah



          On Aug 29, 7:17 am, Walter Sobchak <genija...@yaho o.comwrote:
          The connection is ssl encrypted and I need to write some sensitive
          information in a cookie. I'd like to encrypt the cookie on the client so
          it could be decrypted later on the server.
          >
          1. If I use a symmetric algorithm how do I send the encryption key?
          2. Is there any asymmetric algorithm that doesn't have an impact on
          performance?
          3. Is there a difference in writing cookies with http an https?
          I think https in that case doesn't help.
          >
          Thanks in advance for any suggestions.

          Comment

          • Walter Sobchak

            #6
            Re: Cookie encryption?

            Bart Van der Donck wrote:
            Walter Sobchak wrote:
            >
            >The connection is ssl encrypted and I need to write some sensitive
            >information in a cookie. I'd like to encrypt the cookie on the client so
            >it could be decrypted later on the server.
            >
            I would usually not perform such a task at the client. The server
            could both encrypt the value and set the cookie via a HTTP-header
            (still better than document.cookie IMHO).
            >
            >1. If I use a symmetric algorithm how do I send the encryption key?
            >
            If you would use javascript, there is no other choice than making the
            key/salt available as plaintext for the script in the web page; thus
            making it interceptable for the viewer of the page. I think there can
            be little doubt that a server-side solution would be better in this
            case.
            >
            >2. Is there any asymmetric algorithm that doesn't have an impact on
            >performance?
            >
            Encryption is memory-intensive by nature; but I wouldn't care much
            about only one en-/decrypt action. The difficuly for asymmetric
            cryptography is that there are both the private key (encrypt) and the
            public key (decrypt).
            >
            A somewhat safe strategy could be to make only the public key
            available to the client; so he can only decrypt the cookie with it.
            But I believe this would be the opposite of your plan: when you want
            to encrypt asymmetrically in javascript, you always need the private
            key.
            >
            But I think that symmetric cryptography is more recommended in your
            scenario (and preferably done at the server).
            >
            >3. Is there a difference in writing cookies with http an https?
            >I think https in that case doesn't help.
            >
            HTTPS secures the transmission of data along the line, but nothing
            more. You are only reasonably safe that nobody can intercept data
            between server and client. Most security problems do not relate to
            this area.
            >
            --
            Bart
            The thing is that I have the information on the client side. So I want
            to encrypt it and out it in a cookie.
            I know that should be done on the server side but I don't know how.
            Is there a way to call a server function from a client in a way that you
            send a parameter to that function and receive the result??

            Comment

            • Walter Sobchak

              #7
              Re: Cookie encryption?

              It sounds like a good solution but the problem is that user enters some
              information on the client side and I need to have this information in a
              cookie because it is some kind of an authentication ticket.



              micah wrote:
              i think it'd be prudent to change your approach on this one, since
              you're running into a fundamental roadblock: you want to put secure
              info somewhere that's inherently insecure.
              >
              personally, i'd just write the data to the server and associate it
              with that user's account. if there isn't a logged-in user involved in
              this operation then... well... what sensitive information could/would
              you give to someone you haven't authenticated?
              >
              -micah
              >
              >
              >
              On Aug 29, 7:17 am, Walter Sobchak <genija...@yaho o.comwrote:
              >The connection is ssl encrypted and I need to write some sensitive
              >information in a cookie. I'd like to encrypt the cookie on the client so
              >it could be decrypted later on the server.
              >>
              >1. If I use a symmetric algorithm how do I send the encryption key?
              >2. Is there any asymmetric algorithm that doesn't have an impact on
              >performance?
              >3. Is there a difference in writing cookies with http an https?
              >I think https in that case doesn't help.
              >>
              >Thanks in advance for any suggestions.
              >

              Comment

              • Bart Van der Donck

                #8
                Re: Cookie encryption?

                Walter Sobchak wrote:

                ....
                >Walter Sobchak wrote:
                >>The connection is ssl encrypted and I need to write some sensitive
                >>information in a cookie. I'd like to encrypt the cookie on the client
                >>so it could be decrypted later on the server.
                ...
                The thing is that I have the information on the client side. So I want
                to encrypt it and out it in a cookie.
                I know that should be done on the server side but I don't know how.
                I think the most classic design would be like this:

                1. Put the information in an <input(type=hid den?)
                2. submit the form (manually?) as post-request over HTTPS to server
                3. server encrypts it (+probably stores it?)
                4. send next 'you-are-now-logged-in'-page with cookie in HTTP-header

                The javascript way:

                1. offer string+salt to the encryption alghoritm on the page

                2. use document.cookie () to store it
                W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering popular subjects like HTML, CSS, JavaScript, Python, SQL, Java, and many, many more.

                Is there a way to call a server function from a client in a way that you
                send a parameter to that function and receive the result??


                --
                Bart

                Comment

                Working...