[11042] in cryptography@c2.net mail archive
Re: crypto/web impementation tradeoffs
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Jul 4 12:24:09 2002
Date: Thu, 04 Jul 2002 16:57:07 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: John Saylor <johns@worldwinner.com>
Cc: cryptography@wasabisystems.com
John Saylor wrote:
> Hi
>
> I'm passing some data through a web client [applet-like] and am planning
> on using some crypto to help ensure the data's integrity when the applet
> sends it back to me after it has been processed.
>
> The applet has the ability to encode data with several well known
> symmetric ciphers.
>
> The problem I'm having has to do with key management.
>
> Is it better to have the key encoded in the binary, or to pass it a
> plain text key as one of the parameters to the applet?
>
> I know that the way most cryptosystems work is that the security is in
> the key. But having a compiled-in key just seems like a time bomb that's
> going to go off eventually. Is it better to have a variable key passed
> in as data [i.e. not marked as "key"] or to have a static key that sits
> there and waits to be found.
If all you want to ensure is integrity, why are you using symmetric
encryption? Surely a keyed HMAC would make more sense?
Not that this changes your question. However, you haven't specified your
threat model, so I feel unable to answer.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
