| Author |
 Topic  |
|
Darthsteven
Starting Member
United Kingdom
38 Posts |
 Posted - 23 June 2002 : 16:37:17
|
I was alarmed at the fact that user names and passwords are sent freelt over the internet in the form of cookies.
Though the threat of a cookie being 'intercepted' may be small, the fact that if you use a public computer to access the other excellent Snitz Forums and happen to check the 'remember me' box as you log in, and then don't log out, some else could come along and pick up your details.
I decided I wanted to do something about this, so I wrote a mod that encypts the users data using the RC4 algorithm.
This mods appears to work flawlessly, and although it does take some setting up (more on that later) it succedes in encrypting all standard data passed to the client as a cookie.
I am aware that the US has STRONG export laws on cryptography, something like no bigger that 56 bit keys I believe? However, I am not a US citizen, and no offence, glad not to be. My mod can encrypt the data with multiple keys multiple times. Currently I have a local version running with ten keys, so the data gets encypted ten times over. But I want to know about the length of the keys, I am using 256 character alphanumeric strings at the moment, which means that the number of different keys is:
n = 36^256
which roughly equates to:
n = 2.5908376311441826967568468751747e+398
and diferent keys can be used for each of the ten times.
I suppose my question is, is this all legal, I a UK citizen, but are there similar laws to the US?
I want to share the mod, but I don't want to get into any trouble either.
Regards
Darthsteven |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 23 June 2002 : 16:44:32
|
I'm not a legal expert but I wouldn't think that you're doing something ilegal just by creating code to implement a encryption algorithm. And the restriction on 56 bit keys as long been removed, since I believe IE with 128 bit's Cipher Strength is standard in all but a few 'pariah' states.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
 |
|
|
Darthsteven
Starting Member
United Kingdom
38 Posts |
Posted - 23 June 2002 : 16:54:00
|
Well, if I come, 'ahem' totally clean I didn't actualy write the algorithm
http://www.4guysfromrolla.com/webtech/010100-1.shtml
but the surrounding code I wrote, though you can't see that.
when we say '128 bit' I suppose thats the equivelent of a 16 character string?
I forgot to add this, but when I was writing this mod I found it VERY time consuming to change all the cookie function calls. I suppose its not in the bounds of this thread but in version four, I think all cookie functions should be encapsulated in another custom-written object or function calls. This would not only make this kind of mod easier to add to the forums, but if the EU ever decides to pass that stupid law banning cookies, the calls would be there to easily change every cookie call to say, a session variable, or something.
Regards
Darthsteven
Edited by - Darthsteven on 23 June 2002 16:55:07 |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 23 June 2002 : 17:14:18
|
quote:
when we say '128 bit' I suppose thats the equivelent of a 16 character string?
I'd suppose so. What that means is that you have a 128 bit key, and that corresponds to a 16 byte key, so...
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
Darthsteven
Starting Member
United Kingdom
38 Posts |
Posted - 23 June 2002 : 17:17:35
|
quote:
quote:
when we say '128 bit' I suppose thats the equivelent of a 16 character string?
I'd suppose so. What that means is that you have a 128 bit key, and that corresponds to a 16 byte key, so...
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
i suppose my mod uses 32 byte keys.
Regards
Darthsteven |
|
|
|
e3stone
Average Member
USA
885 Posts |
Posted - 24 June 2002 : 04:04:50
|
Make as many encryption mods with keys in as many bytes as you want, but if people are able to download your database, then encryption of cookies is pointless. Why take one cookie when you can have the whole jar.
<-- Eric -->
Edited by - e3stone on 24 June 2002 04:07:03 |
|
|
|
Darthsteven
Starting Member
United Kingdom
38 Posts |
Posted - 24 June 2002 : 13:23:11
|
Well, securing the whole db is a trivial task, but if you mean encrypting every single field that would be a nightmare, as snitz doesn't pass the results of a sql query through a 'dummy' function.
Even so, i have decided to post my mod, thus:
http://www.mike.jones18.btinternet.co.uk/mod_Cookie_Encrypter_v1.zip
A quick warning though, this isnt a mod that can be installed in five minutes, it will most likely take more than one hour.
Regards
Darthsteven
Edited by - Darthsteven on 24 June 2002 13:24:36 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 24 June 2002 : 13:31:56
|
quote:
Make as many encryption mods with keys in as many bytes as you want, but if people are able to download your database, then encryption of cookies is pointless. Why take one cookie when you can have the whole jar.
<-- Eric -->
Edited by - e3stone on 24 June 2002 04:07:03
I fail to see the point of this post. Cookie encryption and database security are two different security mechanisms one implemented at the client, the other at the server. I believe cookie encryption can enhance the trust of many Snitz users that their password won't be obtained through their cookies.
Obviously the database at the server needs to be secure, but both mechanisms complement each other, IMHO.
Darthsteven, thanks for sharing your mod here.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Edited by - ruirib on 24 June 2002 13:33:08 |
|
|
|
Darthsteven
Starting Member
United Kingdom
38 Posts |
Posted - 24 June 2002 : 14:19:29
|
opps,
my readme file stating a ton of line numbers is bassed on a MODDED version of snitz, not sure how it will effect everything, but when I have the time i'll re-write it for a clean install.
In the mean time, to check you haven't missed any cookie, look for
.cookies(strUniqueID & "User")(
and replace as stated at the end of the readme, ignore any matches in the 'readme.txt' file and the 'inc_crypter_ds.asp' file.
Regards
Darthsteven |
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 24 June 2002 : 17:51:04
|
it's great work, I just began to implement it, seems working without any problem for now. 
I know that, next version will already have built-in password encryption feature, but I wonder how hard to implement the same idea for db, by taking this mod as an example.
Edited by - blackinwhite on 24 June 2002 17:52:26 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 24 June 2002 : 17:57:03
|
quote:
Make as many encryption mods with keys in as many bytes as you want, but if people are able to download your database, then encryption of cookies is pointless. Why take one cookie when you can have the whole jar.
<-- Eric -->
Edited by - e3stone on 24 June 2002 04:07:03
passwords in the db are also being encrypted in 3.4
|
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 24 June 2002 : 22:05:59
|
will there be any chance that a MOD of this could be published for those needing to say with previous versions?
http://www.nineinchnailz.com |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 25 June 2002 : 05:30:09
|
to be honst, with the enhanced security and much improved db performance, I would not recomend that anybody stays with an older version.
It would be unlikely to be released as a mod as it is quite a core change to the code.
|
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 25 June 2002 : 10:51:44
|
ahhh bugger, I am not prepared to re-mod another version... I am sure I am in the same boat as many others. oh well...
http://www.nineinchnailz.com |
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 25 June 2002 : 11:47:22
|
quote:
ahhh bugger, I am not prepared to re-mod another version... I am sure I am in the same boat as many others. oh well...
http://www.nineinchnailz.com
I am in the same boat 
"cookie encrypt mod" is an example. Security isssue can be done prevented seperately with some modifications.
I think I'll look for another solution, or give up resisting the coming version
Edited by - blackinwhite on 25 June 2002 11:50:09 |
|
|
|
Topic |
|
Topic Locked
