Return to Video

Incorporating HMAC - Web Development

  • 0:00 - 0:03
    This is our old code, I want to demonstrate the vulnerability
  • 0:03 - 0:05
    in our old code so we can make sure we fixed
  • 0:05 - 0:07
    it. This is the old code running here and if we
  • 0:07 - 0:10
    were to take a look at this. We're going to modify our
  • 0:10 - 0:14
    cookie. Document.cookie. That is the value. Let's say we want to set this to
  • 0:14 - 0:19
    visits to 10,001. First we need to find what the hash of 10,001. We can use
  • 0:19 - 0:24
    python for that. Lets go ahead and try that real quick. Import hasLib,
  • 0:24 - 0:31
    hashLib.md5.("10001").hexdigest,
  • 0:31 - 0:33
    'kay. We'll take this value here. Let's
  • 0:33 - 0:35
    take that with us into our browser. We're
  • 0:35 - 0:41
    forging cookies here. So we're going to say documents.cookie
  • 0:41 - 0:45
    equals Visits equals 10,001 pipe our new
  • 0:45 - 0:52
    hash value, now when we reload this page, we are the best ever. But we're
  • 0:52 - 0:54
    not the best ever, we just cheated. Okay,
  • 0:54 - 0:56
    so, let's incorporate the new functions we just
  • 0:56 - 0:58
    wrote into our code. So here we are in
  • 0:58 - 1:03
    our editor, and I've plopped in our new function. We're
  • 1:03 - 1:05
    going to, move secret out of the way. We are going
  • 1:05 - 1:09
    to pretend it is actually in another module that you
  • 1:09 - 1:14
    don't publish or share. And now our functions should be
  • 1:14 - 1:17
    as good as new. Let's try this, let's try this
  • 1:17 - 1:18
    out in our browser. So here we are in our
  • 1:18 - 1:22
    browser, we have dropped in a new hashing function so
  • 1:22 - 1:24
    our old cookies are going to become invalid and when we
  • 1:24 - 1:27
    reload the page you can see we've been here one time.
  • 1:28 - 1:32
    If we were to inspect the cookie, document.cookie, we see that
  • 1:32 - 1:35
    we have this cookie. Now, it's got the same format at
  • 1:35 - 1:37
    the previous cookie, except this one is very hard to forge.
  • 1:37 - 1:40
    Without knowing that secret, we, all we can do is guess
  • 1:40 - 1:44
    at the hash. And that's. You know, the property of the
  • 1:44 - 1:47
    hashing algorithms is that that is basically impossible to get correct.
  • 1:47 - 1:51
    So if I were to modify this cookie, document the
  • 1:51 - 1:56
    cookie equals visits equals 10001. I mean what value do we
  • 1:56 - 1:58
    even put in here. I mean we can iterate over,
  • 1:58 - 2:01
    you know, every possible hash and just kind of guess at
  • 2:01 - 2:03
    it and maybe get lucky. But we'd have to get
  • 2:03 - 2:06
    extraordinarily lucky. You see, I reloaded the page and reset down
  • 2:06 - 2:09
    to one. When I mean extraordinarily lucky, I mean we'd have
  • 2:09 - 2:12
    to you know, take more time than there are you know,
  • 2:12 - 2:15
    atoms in the universe to figure it out. So, that's
  • 2:15 - 2:17
    not going to work in our favor. Okay, so that's pretty
  • 2:17 - 2:19
    cool. I just want to summarize that algorithm so, so it's
  • 2:19 - 2:22
    clear what we did. Instead of setting the cookie visits
  • 2:22 - 2:26
    equal 1, which can be easily forged And instead of setting the cookie visits
  • 2:26 - 2:32
    equals 1, and then the md5 of 1, which can also be,
  • 2:32 - 2:37
    also be easily forged if you know that we're using md5. We instead set
  • 2:37 - 2:42
    it to visits equals 1 pipe HMAC, Secret comma 1. And
  • 2:42 - 2:45
    as long as we keep this secret secret, they can know our
  • 2:45 - 2:47
    algorithm, they can know what we're doing, they can even see
  • 2:47 - 2:51
    our code and they won't be able to forge invalid cookies, which
  • 2:51 - 2:54
    is a pretty neat property. We use this all the time
  • 2:54 - 2:55
    because imagine, if we're not counting,
  • 2:55 - 2:57
    instead of counting visits, we're counting
  • 2:57 - 3:00
    user IDs. It would be a real big problem, you know?
  • 3:00 - 3:03
    If, if I'm logged into, you know, my mail, my Gmail, and
  • 3:03 - 3:06
    I've got a cookie that identifies, you know, who I am, if somebody
  • 3:06 - 3:11
    could just say, well, you know, my user ID is Steve's user ID,
  • 3:11 - 3:13
    and then, if he logged into my email, that would be a very
  • 3:13 - 3:17
    big problem. So, that's why you do things like this. This prevents people from
  • 3:17 - 3:20
    forging your cookie. And also, it saves you some effort validating on the
  • 3:20 - 3:23
    server side, because if, if this doesn't validate, you don't have to check to
  • 3:23 - 3:26
    see if the string is all digits and that sort of stuff because
  • 3:26 - 3:28
    you know, it came from you, you know what you set it to, and
  • 3:28 - 3:31
    that makes your life a little simpler. So this is a really
  • 3:31 - 3:35
    popular strategy we're going to use for all sorts of things in this class.
Cím:
Incorporating HMAC - Web Development
Leírás:

more » « less
Video Language:
English
Team:
Udacity
Projekt:
CS253 - Web Development
Duration:
03:36

English subtitles

Felülvizsgálatok Compare revisions