Robb Shecter wrote:
> "Preston L. Bannister" wrote:
>
> > I dislike the idea so much that I don't use basic authentication.
> > Instead I send a small applet that encrypts the username/password before
> > sending it back to the server.
> >
>
> I assume that you either encrypt using a public key protocol, with the
> server's public key, or possibly use a (DL?) key exchange protocol to come up
> with a symmetric session password?
>
> I've been planning to do this, but so far haven't found any small applet-size
> crypto libraries.
>
> - Robb
>
I recall that there has been lots of discussion about this sort of thing in
the archives and I think one of the salient points was that there is no point
simply encrypting network traffic of the username/password as a spy could simply
catch the whole encrypted password and use it to log in. The encryption would
have to be unique every time and this at some stage reqires a key exchange
either every time or initially as a seed value as in secure shell login.
Either way ,why not have the forced login redirect/forward to a secure login
page (HTTPS) as this techknowlogy already exists and is known to work well. It
is really easy to mess up encryption.
Karl
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
