crypto question

[Steve Furlong]

"McMeikan, Andrew" wrote:

> Question.  Is it possible to have code that contains a private encryption
> key safely?  Every way I look at it the answer seems no, yet some degree of
> safety might be possible by splitting an encrypting routine across several
> nodes.  Can someone give me a pointer to any work in this area?

I've reverse engineered passwords out of several apps. Often the PWs
were visible as plain text when the app was examined with a hex editor.
Once I had to "execute" the app on paper to find where the password was
fetched from, no decent debugger being available. (And what a
time-consuming pain that was, but necessary to recover client data.)

I can't think of any secure way to do what you want, "secure" being
defined as "as secure as not doing that", unless you have secure
hardware the way MPAA, RIAA, and Sen Hollings (D-Disney) want. By
spreading the key among modules you could probably raise the
reverse-engineering cost, in effort and time, to the point where no one
would bother to do it. Just don't trust any really important data to
that.



-- 
Steve Furlong    Computer Condottiere   Have GNU, Will Travel

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.  -- George Bernard Shaw

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com