----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
I wrote:
>> I'm thinking of writing a simple encryption scheme whereby the servlet
>> will make up a key pair on the fly, provide one key in a HIDDEN field
>> in a form, and then a JavaScript script will encrypt the user's input
>> using said key before submitting the form. Then the servlet will
>> decrypt it using the other key. It seems like a simple idea but I'm
>> sure it'll be trickier to implement than it sounds. Has anyone
>> already done this?
Jean-Luc Rochat <[EMAIL PROTECTED]> replied:
> You are just trying to reinvent the weel, as SSL does it better.
>
> That's not a correct way to deal with autentication, but works for
> browser->server encryption.
> Anyway asymetric cryptography is not the way to go to encrypt contents,
> as asymetric is slower compared to symetric algos.
> Anybody that can see the first exchange and capture the hidden field
> knows the secret, and that's a zero authentication security model :-(
I only want to use this scheme to allow the user to enter his or her
password. Anyone who can see the hidden field knows the public key,
but this doesn't give them anything at all if they don't know the
user's password, especially since I only intend to use this key pair
once (for the password). The person who went to all the trouble of
sniffing the connection and grabbing the one-time public key could
save themselves the trouble by connecting to the server themselves and
getting their own public key.
> If you use SSL to encrypt the first exchange, this can work, but :
> - non standard
> - slower vs SSL
> - possible attack if "private" key is not sent over SSL.
> Hope this helps
Thanks, I'll look into using SSL for the entire session.
Solomon
--
Solomon <|> [EMAIL PROTECTED]
Douglas /|\ http://web.mit.edu/srcd/www/
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
