Home page logo
/

webappsec logo WebApp Sec mailing list archives

Using SSL private key for cookie's HMAC
From: Simon Zuckerbraun <szucker () sst-pr-1 com>
Date: Thu, 26 Aug 2004 23:42:36 -0500

I'm pondering a design question regarding a web application that is to operate over SSL. We want to include an HMAC in our cookies to prevent tampering. To produce an HMAC, the server must be configured with a private key.

Since the website operates with SSL, the server already *has* a private key available: the private key of its SSL certificate. Is there any harm in using this same private key for producing the HMACs as well?

Thanks,
Simon


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]