On 29/08/13 at 03:09pm, Nikos Fotiou wrote: > A suspicious user may wonder, how can he be sure that the service > indeed uses the provided source code. IMHO, end-to-end security can be > really verifiable--from the user perspective--if it can be attested by > examining only the source code of the applications running on the user > side. >
I agree with you and I propose a simply protocol which follows your statement: - encrypt your data with a simmetric cipher and a private and robust key - make an hash of the encrypted data and store it securely (no loss possibile) offline - upload the encrypted data over some service. - download the encrypted data when you need it, check the hash and decrypt with the key used in the first pass. In this (simple) case, what is run server side does not nullify security properties (confidentiality and integrity in this example), provided that what is run user-side is "ok". _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography