SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 

perl-Session-Storage-Secure rpm build for : openSUSE Tumbleweed. For other distributions click perl-Session-Storage-Secure.

Name : perl-Session-Storage-Secure
Version : 1.0.0 Vendor : obs://build_opensuse_org/devel:languages:perl
Release : 1.1 Date : 2021-03-24 04:11:30
Group : Unspecified Source RPM : perl-Session-Storage-Secure-1.0.0-1.1.src.rpm
Size : 0.06 MB
Packager : (none)
Summary : Encrypted, expiring, compressed, serialized session data with integrity
Description :
This module implements a secure way to encode session data. It is primarily
intended for storing session data in browser cookies, but could be used
with other backend storage where security of stored session data is
important.

Features include:

* Data serialization and compression using Sereal

* Data encryption using AES with a unique derived key per encoded session

* Enforced expiration timestamp (optional)

* Integrity protected with a message authentication code (MAC)

The storage protocol used in this module is based heavily on at
http://www.cse.msu.edu/~alexliu/publications/Cookie/Cookie_COMNET.pdf by
Alex Liu and others. Liu proposes a session cookie value as follows:

user|expiration|E(data,k)|HMAC(user|expiration|data|ssl-key,k)

where

| denotes concatenation with a separator character
E(p,q) is a symmetric encryption of p with key q
HMAC(p,q) is a keyed message hash of p with key q
k is HMAC(user|expiration, sk)
sk is a secret key shared by all servers
ssl-key is an SSL session key

Because SSL session keys are not readily available (and SSL termination may
happen prior to the application server), we omit \'ssl-key\'. This weakens
protection against replay attacks if an attacker can break the SSL session
key and intercept messages.

Using \'user\' and \'expiration\' to generate the encryption and MAC keys was a
method proposed to ensure unique keys to defeat volume attacks against the
secret key. Rather than rely on those for uniqueness (with the unfortunate
side effect of revealing user names and prohibiting anonymous sessions), we
replace \'user\' with a cryptographically-strong random salt value.

The original proposal also calculates a MAC based on unencrypted data. We
instead calculate the MAC based on the encrypted data. This avoids an extra
step decrypting invalid messages. Because the salt is already encoded into
the key, we omit it from the MAC input.

Therefore, the session storage protocol used by this module is as follows:

salt|expiration|E(data,k)|HMAC(expiration|E(data,k),k)

where

| denotes concatenation with a separator character
E(p,q) is a symmetric encryption of p with key q
HMAC(p,q) is a keyed message hash of p with key q
k is HMAC(salt, sk)
sk is a secret key shared by all servers

The salt value is generated using Math::Random::ISAAC::XS, seeded from
Crypt::URandom.

The HMAC algorithm is \'hmac_sha256\' from Digest::SHA. Encryption is done by
Crypt::CBC using Crypt::Rijndael (AES). The ciphertext and MAC\'s in the
cookie are Base64 encoded by MIME::Base64 by default.

During session retrieval, if the MAC does not authenticate or if the
expiration is set and in the past, the session will be discarded.

RPM found in directory: /packages/linux-pbone/ftp5.gwdg.de/pub/opensuse/repositories/devel:/languages:/perl/openSUSE_Tumbleweed/noarch

Content of RPM  Changelog  Provides Requires

Download
ftp.icm.edu.pl  perl-Session-Storage-Secure-1.0.0-1.1.noarch.rpm
     

Provides :
perl(Session::Storage::Secure)
perl-Session-Storage-Secure

Requires :
perl(:MODULE_COMPAT_5.40.0)
perl(Crypt::CBC) >= 3.01
perl(Crypt::Rijndael)
perl(Crypt::URandom)
perl(Digest::SHA)
perl(MIME::Base64) >= 3.12
perl(Math::Random::ISAAC::XS)
perl(Moo)
perl(MooX::Types::MooseLike::Base) >= 0.16
perl(Sereal::Decoder) >= 4.005
perl(Sereal::Encoder) >= 4.005
perl(String::Compare::ConstantTime)
perl(namespace::clean)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1


Content of RPM :
/usr/lib/perl5/vendor_perl/5.40.0/Session
/usr/lib/perl5/vendor_perl/5.40.0/Session/Storage
/usr/lib/perl5/vendor_perl/5.40.0/Session/Storage/Secure.pm
/usr/share/doc/packages/perl-Session-Storage-Secure
/usr/share/doc/packages/perl-Session-Storage-Secure/CONTRIBUTING.mkdn
/usr/share/doc/packages/perl-Session-Storage-Secure/Changes
/usr/share/doc/packages/perl-Session-Storage-Secure/README
/usr/share/licenses/perl-Session-Storage-Secure
/usr/share/licenses/perl-Session-Storage-Secure/LICENSE
/usr/share/man/man3/Session::Storage::Secure.3pm.gz

 
ICM