----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
Solomon Douglas wrote:
>
> ----------------------------------------------------------------
> BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
> WHEN YOU POST, include all relevant version numbers, log files,
> and configuration files. Don't make us guess your problem!!!
> ----------------------------------------------------------------
>
> I'm thinking of writing a simple encryption scheme whereby the servlet
> will make up a key pair on the fly, provide one key in a HIDDEN field
> in a form, and then a JavaScript script will encrypt the user's input
> using said key before submitting the form. Then the servlet will
> decrypt it using the other key. It seems like a simple idea but I'm
> sure it'll be trickier to implement than it sounds. Has anyone
> already done this?
>
> Solomon
Hello Solomon,
You are just trying to reinvent the weel, as SSL does it better.
That's not a correct way to deal with autentication, but works for
browser->server encryption.
Anyway asymetric cryptography is not the way to go to encrypt contents,
as asymetric is slower compared to symetric algos.
Anybody that can see the first exchange and capture the hidden field
knows the secret, and that's a zero authentication security model :-(
If you use SSL to encrypt the first exchange, this can work, but :
- non standard
- slower vs SSL
- possible attack if "private" key is not sent over SSL.
Hope this helps
Jean-Luc
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
