How exposed is a user cookie with 64 bit encryption?

How could a hacker exploit a cookie encrypted with 64 bit encryption?

I suppose the entire cookie is encrypted so a hacker could run that cookie through his decryption program until I starts finding patterns which match the English language. Is this how a hacker would crack it?

Or are there key terms the software would be looking for?

How long could this process take and wouldn't he need a pretty high powered machine for that?

Conversely, what is the highest number of bits as the best practices alternative? And how long would it take that same PC to crack it?

Curious.

Thanks.
newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Why are you putting things that need that kind of encryption in a cookie that is being stored in the user's browser where anyone who uses that computer can view it?
Dr. KlahnPrincipal Software EngineerCommented:
Dave is correct.  64-bit encryption is well obsolete and can be cracked in reasonable time when modern CPUs and GPUs that can be thrown at it.  Less than $2000 will buy a very well equipped cracking farm of four multi-core systems with high-capability GPUs.

Example:  My old, tired XP system can crack 1.63 Gkeys/second of RC5-72.  If it was cracking RC5-64 it would probably be at least 8 times faster, or in the range of 2^35 keys per second.  At that rate, working alone, it would crack an RC5-64 key in 200 years, on the average.  That might sound like acceptable security, but that's just one old machine working all by itself.

RC5-72 key busting
If an RC5-64 encrypted text was given to a black hat with a network of thousands of subverted computers, the answer would be back in less than a day.

If you are going to store this kind of information in a cookie, give it a very short lifetime of no more than one day.  But it would be far better to store that information back at the server, in a database where nobody but the server can get at it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
>>  How could a hacker exploit a cookie encrypted with 64 bit encryption?

Depends on where the encryption is.  Is it done by the browser or by the server?  What encryption scheme is being used?  64 bit doesn't mean anything if it is a weak encryption scheme.  And breaking a good encryption scheme is HARD and not a matter of feeding it into a powerful computer, that isn't going to work.

>>  I suppose the entire cookie is encrypted so a hacker could run that cookie through his decryption program until I starts finding patterns which match the English language.  Is this how a hacker would crack it?

Nope.  Really depends on what the cookie is holding.  If they are non-standard English phrases then the decryption program will find nothing.

>>  Or are there key terms the software would be looking for?

Again.  Depends on what the cookie is holding.  Could be passwords, login names, preferences, anything.  Depends on what the web site wants to save there.

>>  How long could this process take and wouldn't he need a pretty high powered machine for that?

Totally unknown.  He'd have to know the encryption scheme being used for starters ... 64 bit doesn't mean anything.

>>  Conversely, what is the highest number of bits as the best practices alternative?   And how long would it take that same PC to crack it?

How many bits would you like?  256, 512, 1024.  There's no limit.  Again it is not only the bits it is the encryption scheme as well.
newbiewebSr. Software EngineerAuthor Commented:
I like the use of a short lifespan as a temporary fix to this kind of exposure. Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.