Thanks for your feedback Scott! > You should also keep in mind that it's exceedingly dangerous > to "re-invent the wheel" when it comes to cryptography. Heavily > peer-reviewed algorithms (which are not always the most secure) > are always your best bet.
I don't intend to do that: I just want to improve the rubber of the wheel. ;) > Even though SSL isn't the best overall option for 100% > total security, if you go about putting another home-brewed > layer over SSL, you'll only marginally increase your security, > while increasing your workload by quite a lot (and give yourself > a false sense of security) Point taken. But SSL is a false sense of security anyway - that's why I want to improve it. > Another option nobody has mentioned: > Perhaps install PGP/GPG on the server and email out encrypted > passwords... this way, speed won't be such an issue, and you > can use 3072-bit keys, which are quite secure. Of course, this > would mean the client MUST have PGP/GPG installed on his > computer.... :-) I've already to started to impliment RSA cryptography within the database. And then you can try to break my potential 50.000-bits keys if you feel for it. =) I don't think even NSA will be able to crack such one even, unless they haven't found a fast factorization algorithm. ;) This is not going to be a high load thing - this is for the security of the database maintenance tool - since the operator will have quite a lot of power to create and change user account etc, it is important to protect this communication - but this wont be used very often, and it will be short interactive queries only with the data base - and the database server has quite good crunching capacity to, so I don't worry to much bout it. For example a manbdelbroth function I wrote in SQL at my former job took about 20 minute to crunch on the our SQL server, this server does the same job in 15 second. I got enough power! ;) -- Anders Svensson Member of International Association of Idiot Developer The Dutch Government -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
