Re: PHP encryption again

Allie Micka wrote:

> On Mar 14, 2005, at 2:12 PM, Paul Bramscher wrote:
>
> > (1)   While it's impossible to reconstruct the server key by hacking 
> > into the client, it means that the hacker would instead try to 
> > emulate the client, focus his efforts there.  That is, spoof all 
> > information the client is sending to the server.  So it doesn't 
> > matter what you do server-side to the session ID -- if the hacker 
> > *perfectly* spoofs the client, any extra precautions taken 
> > server-side are merely snake oil.
>
>
> Not snake oil at all.  It is true that there's no way a hash or key 
> will protect you 100% for ever and ever.  But it takes a long time to 
> derive a session id, and  much longer to derive any other kind of 
> secondary identification.  The time it takes to derive this info is a 
> multiple of each level of security.

My point is more generic (and mainly theoretical).  Remember the old 
"mind-reading" trick that goes something like this:

client: pick a number 1 - 100.
server & client instructions:
(1)   add 5
(2)   subtract 3
(3)   add 1
(4)   subtract 3
(5)   subtract the original number
Now let me guess... You have "0"?

My point was that fully cloning the client puts the hacker into a 
position where the server-side manipulations, regardless of what they 
are, will be to no avail.  You can keep adding more steps, but it's 
pointless.  The hacker has *become* the client in the server's eyes, so 
any manipulations to the session, etc. will be performed to the hacker 
identically as for the authenticated user.

But I agree -- unless there's some unknown mathematical weakness with 
SSL, some sysadmin doesn't catch billions of attempts to hack a 
session_id, or it becomes all too easy to hack into a client's computer 
and lift the cookie and spoof the IP, then these arguments are all only 
theoretical.

So probably any hacker is going to look first at cloning the client 
before even bothering with an upfront assault on the server.  This is 
why I prefer linux, since I trust a properly configured linux box far 
more than an MS box, whose security mechanisms are all closed source and 
have never met the eye of public scrutiny...

Paul Bramscher