On 31/07/06, Jon Anderson <[EMAIL PROTECTED]> wrote:
Jay Blanchard wrote:
> Yes, but that shouldn't matter. The algorithms for RSA, AES, etc, etc
> are all publicly available, why bother hiding their JavaScript
> implementations? Only the data would be encrypted.
> [/snip]
>
> So, you're suggesting that you can use Ajax or some other mechanism to
> hide the key on the server?
>
There's no "hiding". You could use a secure key exchange mechanism, such
as Diffie-Hellman.
Diffie-Hellman is used to generate a shared key between two hosts (say
"A" and "B") such that each host knows the key, but any third party
listening in on the information is unable to trivially reconstruct the key.
See: http://en.wikipedia.org/wiki/Diffie-Hellman
How about if the third party can control one side of the transaction
by altering the javascript that implements it while in transit - for
instance by adding a couple of lines that transmit the key to the
third party after the key exchange?
-robin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
