Home page logo

webappsec logo WebApp Sec mailing list archives

Using SSL private key for cookie's HMAC
From: Simon Zuckerbraun <szucker () sst-pr-1 com>
Date: Thu, 26 Aug 2004 23:42:36 -0500

I'm pondering a design question regarding a web application that is to operate over SSL. We want to include an HMAC in our cookies to prevent tampering. To produce an HMAC, the server must be configured with a private key.

Since the website operates with SSL, the server already *has* a private key available: the private key of its SSL certificate. Is there any harm in using this same private key for producing the HMACs as well?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]