max psykx wrote: > 2008/11/28 Andy Gale <[EMAIL PROTECTED]>: > >> On Fri, Nov 28, 2008 at 12:30 AM, Lyle <[EMAIL PROTECTED]> wrote: >> >>> I'm wondering if MD5 is the best way to go? I know max was talking about >>> encryption at the last meet... >>> > I still only messing with RSA so... How secure does your application > need to be? can you set up secure keys on both machines? I'll guess > not as you need it to work with javascript (unless Jscript is > different). >
When making old asp pages, you can choose between VBScript and JScript. JScript is JavaScript, but it's server side, not the browser based stuff most of us are used to. >> Now that MD5 is considered partially insecure[1], I'd recommend using >> SHA1. Also, I'd suggest you use a salt [2] in the key you are trying >> to generate. The salt being basically a random string. >> >> > SHA1 also has mathematical weaknesses, although MD5 is weaker the use > of a salt, as described below, removes the possibility of a brute > force attack (theoretically) > >> md5(id . password) is relatively easy to break with bruteforce (by >> just trying all numbers and words, etc) while sha1(id . random_string >> . password) is an order of magnitude more secure. >> >> Cheers >> >> > So basically it's a balance between being supported (I don't know > about anything windows atm) and being secure (Using RSA keys to > encrypt using another symmetric algorithm because RSA is about 1000 > times slower than a symmetric algo. ) > It needs to be pretty quick... and there needs to be a pure perl option for the crappy shared hosting people. Maybe I should offer MD5, SHA1, BlowFish, etc, and let the user decide which to use. That way they can use the best method that their language supports. Lyle _______________________________________________ BristolBathPM mailing list [email protected] http://mailman.bristolbath.org/mailman/listinfo/bristolbathpm
