On Dec 31, 2004, at 11:05 AM, LMSpam at neuropop dot com wrote:
My server is an RB app using a ServerSocket as the way in... If I
recall, ServerSocket can't listen in SSL mode...?
I haven't had the need to use SSLSockets yet, so I don't know. But I
am sure it is possible somehow.
Never used rotating keys... Would the theory be to use the session ID
as an encryption key? I'm already compressing the data, so that
wouldn't be a stretch to add.
Well, what I was thinking was more like a Random Number between 0 and
65535. Then you combine this with a secret phrase such as:
Rndnumber = Rand.InRange(0, 65535)
eKey = Md5(Str(Rndnumber) + "mySecretPhrase")
Then you just include the random number with the encrypted data so that
you server can decrypt it. Of course, this is one of the easiest
encryption schemes to break, but it be better than no encryption at
all.
You can use the SessionID in the encryption key, but you would have to
make sure that it is sent in plain-text otherwise the server will not
be able to decrypt the message. You should not use only the SessionID
encrypt the data since the key would be always the same. Using both a
Random Number and the Session ID would mean that the encryption scheme
would only be good for that session.
There are other tricks that you can do which are more secure, but more
prone to errors...
RotatedNumber = ((RotatedNumber Mod 1257) * 9) + 391
eKey = Md5(Str(RotatedNumber) + "mySecretPhrase")
The rotated number is never sent in the message, so the server needs to
calculate it. But if you ever lose a packet, the server and client
will be out-of-sync so you will need to have the server send the client
a reset command and resend the message.
If you are already compressing the data then it helps since it is
already not in plain text.
There are other tricks besides encryption to make sure your network
messages are not being tampered with. You can include a checksum
(calculated with a secret formula) in the message and make sure it
matches the data before the server processes the message. Here is an
example:
checksum = "<sum>" + Md5(message + "mySecretPhrase") + "</sum>"
message = message + checksum
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
|