Can this be somewhat solved with a handshake? You get the request at the server, respond with data that needs a particularly nasty piece of manipulation, and then you compare the response with your computed response for a match? You're not storing anything on the client side except code. It's still "security by obscurity", but Mr Frouma would have to steal your algorithm from your client and put it in his app, perhaps harder than stealing a blob of data. There are probably enhancements you could make if you can verify the client, such as pushing out a new algorithm.
Phil Wilson -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Per Bolmstedt Sent: Friday, March 28, 2008 11:11 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Storing shared secrets On Fri, 28 Mar 2008 19:09:52 +0100, Frans Bouma <[EMAIL PROTECTED]> wrote: >> What you don't want: the key used for signing is available to anyone who >> installs your client, so Bans Frouma can get at it and use it in his Pi >> Komputing Klient. > > So that's a typical client-side certificate SSL connection. THe TS > should read into that how that's done with public/private keypairs. Even so, the private key used to decrypt messages from the Pi Computing Service (and sign messages to it) has to be accessible to the client, right? =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
