On Sat, 2005-10-08 at 14:09 -0700, Paul Rubinhttp: wrote: > rbt <[EMAIL PROTECTED]> writes: > > Off-topic here, but you've caused me to have a thought... Can hmac be > > used on untrusted clients? Clients that may fall into the wrong hands? > > How would one handle message verification when one cannot trust the > > client? What is there besides hmac? Thanks, rbt > > I don't understand the question. HMAC requires that both ends share a > secret key; does that help?
That's what I don't get. If both sides have the key... how can it be 'secret'? All one would have to do is look at the code on any of the clients and they'd then know everything, right? > What do you mean by verification? I'm trying to keep script kiddies from tampering with a socket server. I want the server to only load a valid or verified string into its log database and to discard everything else. Strings could come to the socket server from anywhere on the Net from any machine. This is outside my control. What is there to prevent a knowledgeable person from finding the py code on a client computer, understanding it and then being able to forge a string that the server will accept? Does that make sense? -- http://mail.python.org/mailman/listinfo/python-list
