Distributing user-developed Linux software and licensing issues.
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Thu Jan 19 00:15:47 UTC 2006
Runesabre wrote:
>
>
> I appreciate the replies from everyone. You have all
> been very helpful! (/wave Markku and Tim)
>
> I'm not a security expert so I'm learning as I go.
> What I can't really understand is how a client-side
> application can be completely open source and secure
> at the same time without giving away its encryption
> techniques. I can't afford for every customer to be
> issued a SecureId fob like I used in the workplace and
> any secret "key" transmitted over the 'net can simply
> be intercepted and used with full knowledge of how the
> key works since access to the source code is
> available. My customers aren't locked to using their
> account from a specific machine.
>
> Do open source web servers include the full source to
> their encryption routines? What about SSL? Is the
> source to SSL open to the public?
>
> Thanks again for the responses.
>
> Kirk Black
>
A keys pair is used. One key encrypts the message, and a second key
decrypts the message. The thing is, the key that encrypts the
message can not be used to decrypt it. Even with the encryption
source code, and one key, it is not practical to decrypt the
message. (It can be done with enought CPU time, but it is not
practical.)
You may want to read up on openSSL or GnuPG - you can get the full
source code for them. You can use openSSL to set up a secure
connection for sending things like usernames and passwords. Just
capturing the communications does not help, because the encrypted
stream is different every type.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
More information about the fedora-list
mailing list