Runesabre kirjoitti viestissään (lähetysaika torstai, 19. tammikuuta 2006 01:10): > I'm not a security expert so I'm learning as I go. > What I can't really understand is how a client-side > application can be completely open source and secure > at the same time without giving away its encryption > techniques. The client is Open Source, secure, _and_ it "gives away" the encryption techniques. All encryption algorithms in general use are based on publically released standards like RSA, DES or AES so no additional security is gained by trying to keep program function hidden. Since late 19th century, security of encryption systems is evaluated based on Kerckhoffs' law: a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. ( http://en.wikipedia.org/wiki/Kerckhoffs%27_law ) > I can't afford for every customer to be > issued a SecureId fob like I used in the workplace and > any secret "key" transmitted over the 'net can simply > be intercepted and used with full knowledge of how the > key works since access to the source code is > available. My customers aren't locked to using their > account from a specific machine. Google for "secure key exchange". You're not the first with this problem, and tested solutions exist. > Do open source web servers include the full source to > their encryption routines? What about SSL? Is the > source to SSL open to the public? Yes and yes. -- Markku Kolkka markku.kolkka@xxxxxx
