httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mikhail T." <mi+t...@aldan.algebra.com>
Subject Re: Decrypting mod_session-created cookie
Date Thu, 18 Jul 2013 15:02:03 GMT
On 09.07.2013 00:43, Yehuda Katz wrote:
> Unfortunately not this week. Send me a reminder email next week and I should 
> be able to look at it.
Although I was able to answer my own question last week — and have replicated 
Apache's default AES256 en/decryption in PHP 
<http://aldan.algebra.com/%7Emi/mod_session_crypt.html>, I still have another, 
related, question unanswered....

Do I need to worry about the /integrity/ of the decrypted text? In other words, 
although I trust AES256 to protect the text from being decrypted by an attacker 
(as long as the passphrase is not known, of course), do I also trust it for 
protection against the text being tampered with?

If not, I'd have to implement my own signing of the contents — with some kind of 
HMAC_Foo, perhaps. But I'd rather not bother, if I don't have to... Do I? Thanks!

    -mi


Mime
View raw message