----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
"Thomas M. Sasala" <[EMAIL PROTECTED]> wrote:
> What key do you plan on adding to a hidden field? The
> encryption key or the public key of a public/private pair? You
> know viewing the source will display any hidden fields.
It's the public key... I don't have to put it in a hidden field, I
could just store it directly in the javascript source. The point is
that I want the script to have access to the public key, and I want it
to be transparent to the user. If the user chooses to view source
then they can see it, but to the naive user I want it to be completely
transparent.
> Not many people use asymmetric algorithms for encryption.
> Use Diffie/Hellman for exponential key generation then a symmetric
> alg for the confidentiality. The size of your primes and/or
> exponent determine the level of security you have for the traffic
> encryption key. Obviously a 20-bit prime is relatively useless,
> whereas a 1024 bit prime is complete overkill. You
> need to ask yourself how important is the data *and* how long
> is the data valid? The lifetime of the data directly determines
> how 'good' the algorithm needs to be.
Well, the the lifetime of the data is very long here, actually - it
will an undegraduate student's UNIX password, and the undergrads
don't know how to change their passwords (they don't get a shell
account), so the data lasts on the order of a year.
The rest of the JServ session does not need to be confidential - it's
only the username and password exchange that matters.
> Have you considered the Java Crypto API?
I haven't looked into this yet. I'm trying to avoid client-side java,
that's why I'm hoping to implement the client side in javascript.
Solomon
P.S. don't be fooled by my e-mail address - MIT undergrads *do* know
how to change their passwords, but this system is not for MIT.
--
Solomon <|> [EMAIL PROTECTED]
Douglas /|\ http://web.mit.edu/srcd/www/
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
