John Saylor wrote: > Hi > > I'm passing some data through a web client [applet-like] and am planning > on using some crypto to help ensure the data's integrity when the applet > sends it back to me after it has been processed. > > The applet has the ability to encode data with several well known > symmetric ciphers. > > The problem I'm having has to do with key management. > > Is it better to have the key encoded in the binary, or to pass it a > plain text key as one of the parameters to the applet? > > I know that the way most cryptosystems work is that the security is in > the key. But having a compiled-in key just seems like a time bomb that's > going to go off eventually. Is it better to have a variable key passed > in as data [i.e. not marked as "key"] or to have a static key that sits > there and waits to be found.
If all you want to ensure is integrity, why are you using symmetric encryption? Surely a keyed HMAC would make more sense? Not that this changes your question. However, you haven't specified your threat model, so I feel unable to answer. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
