|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Gabriel Lawrence (gabe_at_butterflysecurity.com)
Date: Thu Jul 11 2002 - 18:01:59 CDT
On Thu, 2002-07-11 at 10:42, Kalyan Varma wrote:
> 1. Encryption : We could always use encryption. Encrypt on one end and
> decrypt on the other end. But too many issues with that, and it could have performance
> issues
>
> 2. Hashing : Here how you can use the good old md5 for the job.
>
> lets take you are sending key1=value1&key2=value2
> now just sign this using md5 ( its MD5(DATA+SECRET)). So basically do
> something like this sk=md5(value1+value2+secret)
>
> now send sk along with rest of the data ->
> key1=value1&key2=value2&sk=blah
>
> On the other end, take the values, add the secret, md5 it and then
> compare. That way no one can tamper with the parameters.
>
I think we've someone covered this one already... but the problem is if
you are using browsers you will have to do this in some fashion that is
under the control of the client... If you can't totally trust the
client, then you can't really trust that the client itself didn't do
something crazy with the data its sending. Also, there is the problem
with distributing the secret that needs to be dealt with...
The big problem here is that you really just end up inventing some SSL
replacement that does the same thign as SSL and loose the capabilities
of using ssl acceleration, ssl terminators and such...
-gabe
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]