Received: by taz.hyperreal.com (8.7.6/V2.0) id VAA12700;
 Sun, 3 Nov 1996 21:58:02 -0800 (PST)
Received: from neog.com by taz.hyperreal.com (8.7.6/V2.0) with ESMTP id
 VAA12678; Sun, 3 Nov 1996 21:57:58 -0800 (PST)
Received: (from nschrenk@localhost) by neog.com (8.7.4/8.6.9) id AAA00234;
 Mon, 4 Nov 1996 00:05:26 -0600 (CST)
Date: Mon, 4 Nov 1996 00:05:26 -0600 (CST)
From: Nathan Schrenk <nschrenk@neog.com>
To: Apache Developer List <new-httpd@hyperreal.com>
Subject: Lightweight encryption code?
Message-ID: <Pine.BSD/.3.91.961103233541.29968A-100000@neog.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com


Pardon me for this slightly off-topic message, but I thought this might 
be of some interest to other developers.

I'm writing a module that uses cookies to keep state, and it would make my
life much easier if I were to be able to keep certain information in a
cookie that I could be reasonably confident was actually set by my
application.  For example, the application stores user preferences on the
server, and a cookie is set containing the user's login, and the module
looks at the cookie and fetches the user's preferences and then builds
them customized content.

There are a number of reasons why storing all the information in cookies
is not possible for this system, and forcing the user to log in every time
they visit the site is inconvenient. The user's preferences information is
not particularly sensitive data, but it would be nice to prevent a user
from submitting a cookie with someone else's userid and seeing their
preferences.  All information in this system that is more sensitive, such
as the application which allows the user to modify their preferences,
requires the user to login but other areas that serve customized content are 
unauthenticated for convenience. 

What I decided to do was to encrypt the data in the cookie, and I have
that working right now using the publicly available cryptlib library, but
the library is large (~300K on my system) and linking it into an Apache
module increases RAM usage on the system quite a bit when Apache starts
spawning many processes.  What I'd like to use is some other encryption 
code that is as small as possible, or some other mechanism to prevent a 
user from easily falsifying information in the cookie.  It doesn't have 
to be real secure, it just has to prevent an mischievous user from easily 
faking the data -- a simple character substitution mechanism is probably 
too simple.

Nathan

--
Nathan Schrenk						nschrenk@neog.com
Neoglyphics Media Corp.                              http://www.neog.com/