Free the mouse Replay HttpEncryptedQuery
Home | Changes | Index | Search | Go
Starting with GaeaSoftware version 4.3, the common HTTP argument parser supports encrypted query strings. Whether or not a query was encrypted is exposed to the handler; whether it matters is up to the handler. The HTTPFS handler requires encrypted query strings for activities on some exports; it's not yet known whether any of the other handlers require it (or forbid it). It's unlikely any forbid it, though, so it should be acceptable to simply always encrypt query strings in requests to a 4.3 system.

The encryption includes a timestamp, which is checked -- it needs to be within 40 seconds of the Replay's idea of the current time.

To create a crypted query string, take the normal query string (the part of the URL after the '?'), encrypt it with ReplayEncryption with checksum #1, encode it as ascii hex (ie,

printf("%02x", c[i])
for each byte), and pass that as the value of an __Q_ query variable.

That is, a full URL with an encrypted argument might look like:

http://192.168.117.3/httpfs-ls?__Q_=c6eaa023807b3220abee6df7ef743566bed09805d8b3cc745830ad1e771a2aac140ebf329790

The Replay query encrypter actually adds an extra mlg argument, prior to encrypting, with a value that's a random number (5-30) of random material; this is probably to confuse plaintext-only attacks on the encryption. Nothing seems to check for the existance of this argument.

The parameter parser's support for the __Q_ option is rather limited; it must be the only variable. If it's not the first argument, it won't be recognized. If there are any other arguments, they're taken as part of the cyphertext, which of courseis then no longer valid. This is probably simply sloppy, but it makes it more complicated to write tools to support both 4.1 and 4.3 ReplayTVs.

-- ToddLarason - 10 Jun 2002


Your post will appear before this form in chronological order (newest at bottom)

Attachment: Action: Size: Date: Who: Comment:
diff.txt action 5837 19 Jun 2002 - 07:44 ToddLarason SwapDV? 0.7 patch (ugly code, but works)

Topic HttpEncryptedQuery . { Edit | Attach | Ref-By | Printable | Diffs | r1.4 | > | r1.3 | > | r1.2 | More }
Revision r1.4 - 01 Apr 2003 - 04:30 GMT - TWikiGuest
Parents: WebHome > HTTPFS
Copyright © 2001 by the contributing authors. All material on this collaboration tool is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback.