Re: encryption question
- From: yannis <none@xxxxxxxxxx>
- Date: Tue, 29 Jan 2008 17:55:54 +0200
Rael wrote :
Hi,
I would like to use an encryption method where no record of the secret key is kept. (If the correct key is supplied the data will be unencrypted correctly otherwise a meaningless stream will be returned.)
But how to know if the user has entered the correct password?
If I keep a "test" string stored somewhere, where I know what this string value should be when unencrypted, will this comprimise security? IOW, if a hacker has access to an encrypted string and knows what the unencrypted value of this string is, can he work out the secret key?
I would like to know if the answer to this question depends on algorithm used (i.e. public/private key pair or straightforward encryption (blowfish?)). I will probably be using an encryption method from freeware components streamsec or DCPCrypt.
Thanks alot to any advice,
Rael
a public/private key is secure as long as the private key is not shared to any one eg you share the public which is used to encrypt the information but this encrypted information can only be decrypted by a private key knowen only to you, in any other case a simple key based encryption would do just the same.
To answer your question I have invested some thought to this and I have come to the conclusion that you need two pairs of private/public key
1) is the public key that will share with your application and the private that is knowen only to you
2) a new pair created on the users computer which will be created at installation and to which you will create a pair from unique data to this computer, this data might be a hash or digest of eg windows cd key, Mac address(ies), as private key and the public will be created on this.
You will use the public key shared with your application to encrypt any data that are send back to your site/home etc and in this data you will include the public key you have created during installation for this machine. Now to send back data to your application you will use the public key send by registration proccess to you for the specified client and every time the client receives data will recreate the private key as needed to decrypt and use them.
This has a number of short commings for example if the user changes the net card the calculated private key will be invalid and will not decrypt correctly, requiring from the user to re register your application.
Regards
Yannis.
--
You talk a great deal about building a better world for your children, but when you are young you can no more envision a world inherited by your children than you can conceive of dying. The society you mold, you mold for yourself.
----Russell Baker-------
.
- Follow-Ups:
- Re: encryption question
- From: Rael
- Re: encryption question
- From: Henrick Hellström
- Re: encryption question
- References:
- encryption question
- From: Rael
- encryption question
- Prev by Date: dialog box at sign in...anyone know of a component to do this
- Next by Date: Re: encryption question
- Previous by thread: encryption question
- Next by thread: Re: encryption question
- Index(es):
Relevant Pages
|
