WebApp Sec: Re: Question on input validation

[Alex Russell <alex () netWindows org>]

On Wednesday 24 September 2003 08:48, Scovetta, Michael V wrote:
> You can certainly and and receive a salted hash of the expected (static)
> data, but for user-defined input, you can't hash on the client side (the
> strength of the hash is the secret salt).
Just to disambiguate, I think there are 2 questions here:

1.) I want to avoid the expense of input validation for values I already know. 
Can I use a hash/MAC to do this?
2.) I want to present a token to a user which grants him/her access to a 
resource without having to specify/verify a path to the resource or 
recalculate access perms for each view of the resource.

The answer to (1) is "yes", and there's no need to ever send the hash to the 
client or require the client to re-calculate said hash (implying a secret 
sharing scheme...ick). The reasons and advantages to this are easy to work 
out.

As for (2), I think what Noah is looking for is a system known as 
"capabilities". Capabilities provide both authorization and namespace lookup 
based on a one-time authorization computation. Subsequent request for a 
resource just present the capability for the resource and if the capability 
is still valid (the resource's "name" hasn't changed), then other auth steps 
are skipped. Capabilities can take up very little space and are quite quick 
to compute. I'm not an expert on them, but there is some literature that 
helps explain them. The classic among these seems to be "The Confused 
Deputy":

http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html

You could try CiteSeer for more.

Regards.

-- 
Alex Russell
alex () burstlib net    BD10 7AFC 87F6 63F9 1691 83FA 9884 3A15 AFC9 61B7
alex () netWindows org  F687 1964 1EF6 453E 9BD0 5148 A15D 1D43 AB92 9A46