On Tue, Mar 6, 2012 at 4:32 AM, Ken <[email protected]> wrote: > > > The *private* key would be kept by you. You do have to "give" them the * > public* key in some sense, but it would be embedded within the custom > built node executable, probably somewhere within the call chain for > require.
The custom built node executable you "give" your client, per chance? QED. > The encrypted javascript files could be required by this version of node > but not by any other, and would be of no use without it. Embedding keys > within applications is a common approach and while it is subject to a > variety of attacks and the source of many infamous hacks (like DeCSS), a > variety of reasonably effective techniques for obfuscating them are > available. Obviously any sufficiently dedicated hacker organization could > probably still crack your system but for that level of effort they could > probably recreate the original software as well. A more obvious concern > arises from the fact that node is capable of executing arbitrary code, so > for far less effort than recovering your key someone could probably craft a > javascript program that extracts the source after it's been decrypted. > You'd need to prevent your version of node from running such scripts, > perhaps by requiring all input to be encrypted or at least signed. If you > make use of third party modules you'd need to provide encrypted versions of > them as well, otherwise someone could highjack a trusted module's methods > for a similar purpose. > > --Ken > > On Monday, March 5, 2012 6:45:41 AM UTC-8, Dean Landolt wrote: > >> >> >> On Mon, Mar 5, 2012 at 12:42 AM, Ken <> wrote: >> >>> I realize this thread has largely devolved into a philosophical >>> discussion about whether one *should* do this, but I think the technical >>> question of how one *could* do this is still a valid one. I've thought >>> about this a while and so far the only practical and secure answer I've >>> come up with is to encrypt the javascript using PGP or a similar scheme. >>> This would require a custom built version of the node executable that is >>> capable of reading the encrypted files because it has the public key baked >>> in. You'd use the private key to encrypt the javascript files that you >>> distribute with your application. Some care would need to be taken to >>> ensure that the executable couldn't be coerced into producing decrypted >>> versions of your files. >> >> >> Either you're misunderstanding PKI or I'm misunderstanding you. But you >> do realize that in this scheme you still have to hand your client -- the >> person you're trying to hide your valuable *secrets* from -- the private >> key? Sure, you can bury it in layers of obscurity but it's there, and with >> the right tools will be in plain sight at some point. >> > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
