Apache-SecSess
view release on metacpan or search on metacpan
uid => string: user ID
timestamp => integer: time stamp from time(),
qop => integer: session quality of protection,
authqop => integer: user authentication quality of protection
}
See the source code of Wrapper.pm for details of how the hash is converted
into a string.
The encryption function E_k is currently not very configurable. It is
Rijndael (AES) in CBC mode with IV=0. It is well known that CBC mode is
vulnerable to forgeries, so a cryptographic checksum is prepended to the
plaintext, as indicated.
The secret key k must be shared by all host or web servers which use the same
realm. Without the secret key, it should be cryptographically infeasible to
produce credentials in which the hash and checksum match. It should
therefore be cryptographically infeasible for anyone to forge credentials or
alter them in any way.
SecSess/Wrapper.pm view on Meta::CPAN
sub new {
my($class, $method, $keyarg) = @_;
# derive key from argument
my $key = $class->_initkey($method, $keyarg);
# crunch key and instantiate cipher object
my $cipher = Crypt::Rijndael->new(
pack('a16 a16', md5('1'.$key), md5('2'.$key)),
Crypt::Rijndael::MODE_CBC
);
return bless({cipher => $cipher}, $class);
}
#
# How to make the key from a key argument. Two methods defined:
# 1. $class->new(key => 'passphrase') passes key directly
# 2. $class->new(file => 'filename') takes first line as key
#
sub _initkey {
( run in 1.811 second using v1.01-cache-2.11-cpan-e1769b4cff6 )