On Wed, 2006-01-18 at 15:10 -0800, Runesabre wrote: > I'm not a security expert so I'm learning as I go. > What I can't really understand is how a client-side > application can be completely open source and secure > at the same time without giving away its encryption > techniques. Look into PGP, for starters, it explains how the system works. The math that makes almost uncrackable encryption is no secret, and it's the math not the coding that does the real trick. In a *nutshell*, you've got an expression which can't be solved by looking at two of the three components (cracking), but all three together confirm the code is correct (verification). No one party has all three codes (public key, private key, and password). In this case being open-source is more secure. Because people can check that the encryption software only works to the right rules, has no errors or exploits, etc. > I can't afford for every customer to be > issued a SecureId fob like I used in the workplace and > any secret "key" transmitted over the 'net can simply > be intercepted and used with full knowledge of how the > key works since access to the source code is > available. *How* it works isn't important to be kept secret, only the information that's passed back and forth needs to be kept secret. Look at internet banking, the bank has a certificate to prove who they are, you have an account set up by them, and use the secret information they set up for you. That can be automated to generate the clients secret information, and that information can be passed to them over a secure connection without being compromised. > My customers aren't locked to using their > account from a specific machine. This *can* be a problem with the way some people use certificates with clients. My phone company did that, I had to download and install a certificate, and only got to do it once. Tough luck if I had to change PCs. > Do open source web servers include the full source to > their encryption routines? What about SSL? Is the > source to SSL open to the public? Yes. Start looking at the Apache website documentation, and move on from there. Also look at some open-source web browsers, and see how they've done the client side of secure connections. That might give you an understanding of the concepts, and possibly even code libraries that you can use for your own purposes. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.