crypto/web impementation tradeoffs
Ben Laurie
ben at algroup.co.uk
Thu Jul 4 11:57:07 EDT 2002
John Saylor wrote:
> Hi
>
> I'm passing some data through a web client [applet-like] and am planning
> on using some crypto to help ensure the data's integrity when the applet
> sends it back to me after it has been processed.
>
> The applet has the ability to encode data with several well known
> symmetric ciphers.
>
> The problem I'm having has to do with key management.
>
> Is it better to have the key encoded in the binary, or to pass it a
> plain text key as one of the parameters to the applet?
>
> I know that the way most cryptosystems work is that the security is in
> the key. But having a compiled-in key just seems like a time bomb that's
> going to go off eventually. Is it better to have a variable key passed
> in as data [i.e. not marked as "key"] or to have a static key that sits
> there and waits to be found.
If all you want to ensure is integrity, why are you using symmetric
encryption? Surely a keyed HMAC would make more sense?
Not that this changes your question. However, you haven't specified your
threat model, so I feel unable to answer.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list