> SSL/TLS is mandate. Along with that I need to client-side password encryption > also.
I encourage you to reconsider. I realize that may be difficult if the requirements are dictated by a third party, but it's worth repeating that this is most likely a bad idea. In particular the key management issue is much harder than the cryptographic algorithm implementation: Successful key management is critical to the security of a cryptosystem. In practice it is arguably the most difficult aspect of cryptography because it involves system policy, user training, organizational and departmental interactions, and coordination between all of these elements. [1] If you can solve that problem in your encryption scheme, the code changes in CAS will be trivial by comparison and something you ought to be able to handle on your own. M [1] http://en.wikipedia.org/wiki/Key_management -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
