On 31/07/06, Jon Anderson <jon@xxxxxxxxxxxxxxxxxx> wrote:
Jay Blanchard wrote: > Yes, but that shouldn't matter. The algorithms for RSA, AES, etc, etc > are all publicly available, why bother hiding their JavaScript > implementations? Only the data would be encrypted. > [/snip] > > So, you're suggesting that you can use Ajax or some other mechanism to > hide the key on the server? > There's no "hiding". You could use a secure key exchange mechanism, such as Diffie-Hellman. Diffie-Hellman is used to generate a shared key between two hosts (say "A" and "B") such that each host knows the key, but any third party listening in on the information is unable to trivially reconstruct the key. See: http://en.wikipedia.org/wiki/Diffie-Hellman
How about if the third party can control one side of the transaction by altering the javascript that implements it while in transit - for instance by adding a couple of lines that transmit the key to the third party after the key exchange? -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
