|
Security Basics
mailing list archives
RE: Encryption Key Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 4 Mar 2005 10:00:04 -0800
-----Original Message-----
From: David Heise [mailto:dheise () gmail com]
Essentially its not about the user, its about the software. I want to
ensure that only my software can talk to my webservice and vice versa.
I don't care about the user, or who is using it, but the application.
So, the thought is to have a unique method of sending and recieving
data...namely encryption. The user will supply credentials and
authenticate on top of this extra layer.
That's a seriously intractable problem. You can establish,
cryptographically, whether the client process knows your key or not,
but that's not sufficient to establish whether the client process
is, in fact, running an unmodified image of your software. The
usual ways to check for image modification, such as hashes, require
access to the image itself to verify -- and there's no assurance that
the image a process offers for verification is actually the image that
is running.
Smart cards and tokens address a similar problem. But an important
element of those solutions is that they're sealed in a pretty much
tamper-proof piece of hardware -- and your application isn't.
Counterfeiting a smart card or token is hard; imitating or cloning
the part of your software that verifies its legitimacy will be
considerably easier. MAYBE you can make it more effort than the
information you want to safeguard is worth, but that's a big IF.
David Gillett
 By Date 
By Thread
Current thread:
- RE: Encryption Key Question, (continued)
Re: Encryption Key Question Zaven (Mar 03)
RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
Re: Encryption Key Question Dr. S. A. Vetha Manickam (Mar 04)
|
Intro
