Re: Cookie encryption?

---

• From: Bart Van der Donck <bart@xxxxxxxxxx>
• Date: Fri, 29 Aug 2008 09:32:46 -0700 (PDT)

---

Walter Sobchak wrote:

The connection is ssl encrypted and I need to write some sensitive
information in a cookie. I'd like to encrypt the cookie on the client so
it could be decrypted later on the server.

I would usually not perform such a task at the client. The server
could both encrypt the value and set the cookie via a HTTP-header
(still better than document.cookie IMHO).

1. If I use a symmetric algorithm how do I send the encryption key?

If you would use javascript, there is no other choice than making the
key/salt available as plaintext for the script in the web page; thus
making it interceptable for the viewer of the page. I think there can
be little doubt that a server-side solution would be better in this
case.

2. Is there any asymmetric algorithm that doesn't have an impact on
performance?

Encryption is memory-intensive by nature; but I wouldn't care much
about only one en-/decrypt action. The difficuly for asymmetric
cryptography is that there are both the private key (encrypt) and the
public key (decrypt).

A somewhat safe strategy could be to make only the public key
available to the client; so he can only decrypt the cookie with it.
But I believe this would be the opposite of your plan: when you want
to encrypt asymmetrically in javascript, you always need the private
key.

But I think that symmetric cryptography is more recommended in your
scenario (and preferably done at the server).

3. Is there a difference in writing cookies with http an https?
I think https in that case doesn't help.

HTTPS secures the transmission of data along the line, but nothing
more. You are only reasonably safe that nobody can intercept data
between server and client. Most security problems do not relate to
this area.

--
Bart
.

---

• Follow-Ups:
  • Re: Cookie encryption?
    • From: Walter Sobchak

• Prev by Date: Re: OT: Why is this group comp.lang.javascript shrinking to <25%?
• Next by Date: Re: Cookie encryption?
• Previous by thread: Re: Cookie encryption?
• Next by thread: Re: Cookie encryption?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: A cryptography solution for a client/server winforms app ... good idea if you want to learn crypto. ... you control both the client and server, you don't even need to use a ... code the client to ignore certificate trust errors. ... encrypt the memory stream. ... (microsoft.public.dotnet.security) Re: File ENcryption Problem Detail ... > In addition, when u encrypt remotely (client to server), which users ... We can encrypt remotely (client to server, ... >>> it is able to encrypt file locally on the DC, ... (microsoft.public.win2000.security) Re: A cryptography solution for a client/server winforms app ... You could use a self-signed cert deployed with the server ... code the client to ignore certificate trust errors. ... generate a hash value for the data in the memory stream. ... encrypt the memory stream. ... (microsoft.public.dotnet.security) Re: Chicken and egg issue with Cookie based login? ... >> Cookies are created by the server, not by the client. ... a client can create a cookie as well. ... The credentials are created when the user logs into the server. ... (comp.security.misc) Re: If not readdir() then what? ... Please go read the NFS spec. ... The only thing an NFS client has in order ... filehandle and a cookie as its arguments. ... The server is expected to return cookies for _each_ ... (Linux-Kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)