> -----Original Message----- > From: Jay Blanchard [mailto:jblanchard@xxxxxxxxxx] > Sent: Monday, July 31, 2006 10:38 AM > To: Jon Anderson; [php] PHP General List > Subject: RE: AES client side > > [snip] > Why *must* you use SSL? Again, devil's advocate here (SSL is > probably much better) but that doesn't mean that you can't > use some crazy JS and PHP to implement some alternative > encryption technique. (Say a symmetric > > algorithm that isn't implemented in any standard SSL > implementations, or > > a proof of concept etc.) > > For example: > - Client (javascript) and Server (PHP script) decide on some > key via secure key negotiation. > - One end encrypts message using key and wacky encryption > algorithm, other end decrypts it. Same thing again, > client/server reversed. > [/snip] > > This still leaves any Javascript exposed, doesn't it? The algorithm may be exposed but the internal data may not be. If the javascript, through AJAX or some other method, holds a 'private key' internally you might be able to duplicate the public/private key methodology of most encryption systems. This though essentially duplicates the SSL layer, but does allow you to use other algorithms which are similar but which may have different traits that you want to work with, such as not requiring SSL, or being transparently encrypted to the user. I wouldn't suggest it but it is POSSIBLE from a proof of concept viewpoint and could, theoretically, have some usefulness. > > -- > PHP General Mailing List (http://www.php.net/) To > unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
