The *private* key would be kept by you. You do have to "give" them the * public* key in some sense, but it would be embedded within the custom built node executable, probably somewhere within the call chain for require. The encrypted javascript files could be required by this version of node but not by any other, and would be of no use without it. Embedding keys within applications is a common approach and while it is subject to a variety of attacks and the source of many infamous hacks (like DeCSS), a variety of reasonably effective techniques for obfuscating them are available. Obviously any sufficiently dedicated hacker organization could probably still crack your system but for that level of effort they could probably recreate the original software as well. A more obvious concern arises from the fact that node is capable of executing arbitrary code, so for far less effort than recovering your key someone could probably craft a javascript program that extracts the source after it's been decrypted. You'd need to prevent your version of node from running such scripts, perhaps by requiring all input to be encrypted or at least signed. If you make use of third party modules you'd need to provide encrypted versions of them as well, otherwise someone could highjack a trusted module's methods for a similar purpose.
--Ken On Monday, March 5, 2012 6:45:41 AM UTC-8, Dean Landolt wrote: > > > > On Mon, Mar 5, 2012 at 12:42 AM, Ken <> wrote: > >> I realize this thread has largely devolved into a philosophical >> discussion about whether one *should* do this, but I think the technical >> question of how one *could* do this is still a valid one. I've thought >> about this a while and so far the only practical and secure answer I've >> come up with is to encrypt the javascript using PGP or a similar scheme. >> This would require a custom built version of the node executable that is >> capable of reading the encrypted files because it has the public key baked >> in. You'd use the private key to encrypt the javascript files that you >> distribute with your application. Some care would need to be taken to >> ensure that the executable couldn't be coerced into producing decrypted >> versions of your files. > > > Either you're misunderstanding PKI or I'm misunderstanding you. But you do > realize that in this scheme you still have to hand your client -- the > person you're trying to hide your valuable *secrets* from -- the private > key? Sure, you can bury it in layers of obscurity but it's there, and with > the right tools will be in plain sight at some point. > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
