At 2:52 PM -0700 7/27/07, John A DAVIS wrote:
Content-Language:
Content-Type: text/plain;
charset=utf-8
Very good! Very good! Thank you. Lots of stuff to mull over.
John A. Davis
Programmer
State of Oregon DHS OIS
CNE, MCSE
"Don't think of the problem, think of the solution"
"Satyam" <Satyam@xxxxxxxxxxxxx> 7/27/2007 2:19 PM >>>
There are two different things you might want, ensure that the data
is not seen by eavesdroppers while in transit or ascertain that the
data comes from who says it is.
The first, you manage with SSL as with any other secure transaction,
as already sugested.
For the second is what you might want to use a digital signature,
that's why someone might have sugested it to you.
As a sample of how this would work you read the file into memory,
add a long string, the signature, that is never transmitted but
that both ends know, and pass it all through an algorithm like MD5
or such. At the receiving end, you get the data and the MD5 but,
as I said, the signature is never transmitted, but you know it as
well. You do the same process as in the sending end and you should
reach the same MD5. Since MD5 is not reversible, knowing the MD5 of
this long string, the data plus the signature, cannot reveal the
signature even if the data is transmitted in clear text, but no
other except someone who has the signature can produce the right
MD5. Notice that the data itself is transmitted in clear text, the
goal is to ensure that who sends it is who is meant. A similar
process has been in use in the banking industry for wire transfers
when they were really sent via telex.
As mentioned PGP is a far better solution since it covers both
requirements and it uses two keys, one for encoding and one for
decoding so that each end knows just half of the information and
won't require you to use SSL, the problem is that you have to do
some processing at the client side and JavaScript alone won't allow
you to access the file system. You would have to deploy ActiveX
controls or Konfabulator widgets (plust the widget runtime). On the
other hand, many eMail clients can send PGP protected messages.
Finally, you could get your users to ZIP the files with a password
before sending them, which is not so secure but is good enough for
many uses. IT all depends on what you want.
Satyam
You can also send pieces and parts at different times to be assembled
afterwards and, if needed, each to have their own protection scheme.
Or you could burn a CD and sent it through the mail, publish keys in
the newspaper under personal ads, flash Morse code on clouds, or try
smoke signals -- all work in one fashion or another to transmit data.
I think that about covers it. :-)
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
