Nic Ferrier wrote,
> The key never travels across the wire.
>
> The way I use it is by having a unique username-key
> relationship that is understood on the server.
>
> The user enters their username and their key and their
> password.
>
> The key encrypts the password, the username and
> password are transferred to server, the servlet can
> then gaurantee that the user is who they say they are
> (because the deciphered password should match what
> I've got in the password database for that user). I
> can decipher the password because I have a one to one
> match keys to usernames.
>
> Break that.
OK, this sounds a little better (but not much). But
you neglected to mention that the client and the server
have to have a shared secret (the key). Maintaining
this sort of infrastructure is significantly more effort
than putting together a servlet+applet+javascript
concoction. For instance, how to you handle the initial
key exchange? Plenty of ways to be sure, but mostly a
great deal more long winded than using https (eg. "To
register with this site you must first install PGP" ;-)
Even so, this scheme is depressingly easy to crack as
you acknowledge,
> There is a way actually, an interveening device could
> alter the applet as it heads towards the user. This
> would be very hard though and could probably be
> stopped by some simple Java Security checks.
If an eavesdropper had access to a malicious or
compromised intemediary proxy then it'd actually be
extremely easy for them to catch applets and tweak them
on the fly, and there are no java security checks which
would save you. There's also plenty of opportunities for
spoofing.
> Enlightened?
Yes, but probably not in the way you intended ;-)
Cheers,
Miles
--
Miles Sabin Cromwell Media
Internet Systems Architect 5/6 Glenthorne Mews
+44 (0)181 410 2230 London, W6 0LJ
[EMAIL PROTECTED] England
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
