Data Security is encryption class for transforming plain text into cipher text. This ensures data confidentiality by using 160 bit key to encrypt blocks of plain text. The strength of key it’s very high and to break the key it is needed ~2^160 attempts which is number with length of 17 numbers and today’s processors aren’t strong enough to break this key for a short time.
Encryption algorithm is designed and discovered by Arlind Nushi, author of this script and named ANCrypt.
SafeCookie is implemented under ANCrypt algorithm and ensures:
- Data Confidentiality
- Data Integrity
Data Confidentiality – Ensures that data are hidden from everyone expect persons who have passkey and encryption/decryption algorithm.
Data Integrity – Guarantees that data saved on cookies cannot be altered or modified from another user. If data’s are modified you are in knowledge of that by using a method for testing cookie integrity. Data integrity in cookies is very important because we know that every user has possibility to alter cookies on his own browser and those are read by your site.
That’s say for example if you have a cookie to check if user is logged and on cookie is saved user access privileges in this form: user_logged=false, user_privileges=normal_user. Any person can make modifications on these cookies because they are easy to understand and they are meaning of a function on website. Then user try and can change user_logged=true, user_privileges=admin, and this is the reason why un-protected cookies are weakness of your site.
But with SafeCookie, a cookie is saved on this way: Hash value of cookie name is generated using MD5 algorithm and saved with that name Value of cookie The hash of value is generated using MD5 – for data integrity check Then hash value and data’s for that cookie are concatenated Concatenated data are encrypted with ANCrypt using specific passkey And to test a cookie data integrity this is the flow of how any cookie can be verified if is altered (modified) and it’s not the cookie you saved before.
- First to retrieve a cookie you need to specify a cookie name, and that name will be hashed to search if that cookie exists.
- If cookie exists, it decrypts the content of that cookie using the same key as on encryption
- Cookie is splitted into two parts
- Part that contains saved hash value and contents of cookie
- A hash value is generated for content of cookie and will be compared with saved hash value of cookie
If values are the same, this means that cookie is not altered otherwise it will return false value by meaning that cookie content has been altered and it’s in your hand to deal with that cookie.
The same cookie of form user_logged=true after is processed and saved from SafeCookie, it has this form: cookie(name: d688c4ccd7e20183b67f80d8816a2126, value: i1leWo1XUV1VgFCIS39UWEdKTlVLSEhBTUNEQHZyP0F7fntv) and it is very hard to figure out what this cookie is used for, but a user that has the passkey knows exactly what this cookie mean.
PHP 4.3 or greater recommended