"McMeikan, Andrew" wrote: > Question. Is it possible to have code that contains a private encryption > key safely? Every way I look at it the answer seems no, yet some degree of > safety might be possible by splitting an encrypting routine across several > nodes. Can someone give me a pointer to any work in this area?
I've reverse engineered passwords out of several apps. Often the PWs were visible as plain text when the app was examined with a hex editor. Once I had to "execute" the app on paper to find where the password was fetched from, no decent debugger being available. (And what a time-consuming pain that was, but necessary to recover client data.) I can't think of any secure way to do what you want, "secure" being defined as "as secure as not doing that", unless you have secure hardware the way MPAA, RIAA, and Sen Hollings (D-Disney) want. By spreading the key among modules you could probably raise the reverse-engineering cost, in effort and time, to the point where no one would bother to do it. Just don't trust any really important data to that. -- Steve Furlong Computer Condottiere Have GNU, Will Travel The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]