[thesite] how ueue works
Daniel J. Cody
djc at starkmedia.com
Thu Oct 18 13:36:34 CDT 2001
ok, heres an example that will clear it up i think :)
(only using a very simple example here for time purposes)
when i login to ueue.evolt.org it will check for my username and passwd.
in the live DB. if they're correct, it says, "Ok, lemme set dans userid
to a cookie and also run his userid through a MD5 algorithm and set that
as a cookie too".
the first cookie is in plain text. the second one is a once in a
lifetime string set with the MD5 protocol. it takes my userid and sends
it through an algorithm using a couple variables like so:
userid_hash = MD5(userid.SUPERSECRETPASSWORD) and gets
3cc076a28ccb2505ea525aca65e1185b as a result. therefore,
userid_hash = 3cc076a28ccb2505ea525aca65e1185b
ok, still with me? :)
it then sets two cookies for me:
userid = 5
userid_hash = 3cc076a28ccb2505ea525aca65e1185b
and sends me on my merry way back to members.evolt.org.
members.evolt.org looks at my cookies and says, "Ok, this person has a
couple *.evolt.org userid cookies. lemme check them"
(remember that m.e.o 'knows' what the SUPERSECRETPASSWORD is)
it then takes the userid cookie, and says, "Ok, this guy is claiming he
has a userid of 5. lemme double check"
m.e.o then looks at my userid_hash cookie and does something like this
psuedocode:
START.
IF:
MD5($ueue.evolt.org.cookie.USERID*SUPERSECRETPASSWORD) =
$ueue.evolt.org.cookie.USERID_HASH
THEN:
set members.evolt.org.session.userid = ueue.evolt.org.cookie.userid
& location = members.evolt.org/index.cfm
ELSE:
echo "Fuck off and have a nice day! :)" & location = ueue.evolt.org
END.
$ueue.evolt.org.cookie.USERID is just the plaintext USERID cookie. and
$ueue.evolt.org.cookie.USERID_HASH is one created from the MD5 algorithm.
still with me? :)
if the plaintext cookie and the 'hashed' cookie don't match up when the
Child Server(m.e.o in this case) runs MD5 'against' the plaintext and
the SUPERSECRETPASSWORD, it boots you back and calls your mom.
MD5 is kinda like multiplying two prime numbers together if you think
about it.. its easy to multipy
20988936657440586486151264256610222593863921
times(*)
20988936657440586486151264256610222593863921
to get our 'hash':
4.4053546201005321934871230285669e+62
but *fuck* is it hard to try to figure out what two numbers you have to
multiply together to get :
4.4053546201005321934871230285669e+62
and MD5 is like 3l337e+3l337 times more difficult than that :)
it comes down to the fact that our applications are giong to 'know' the
two prime numbers(userid, SUPERSECRETPASSWORD) while Joey Cracker with
his m.e.o account only knows 1, which with a fucking Cray he could
figure out, but if he has a Cray, I say we just give him access and save
everyone the trouble ;)
hopefully that clears it up a bit, keep asking me if now and i'll try
again :)
.djc.
yes those are real prime numbers :)
.jeff wrote:
> isn't the value of the cookie already hashed?
>
> perhaps i'm not understanding because my assumption of the value contained
> in the cookie is different than yours.
More information about the thesite
mailing list