Re: Security and JavaScript

So, what security failures are you aiming to prevent? If you're only aiming to prevent random guessing machines from getting in, it's not a bad system, provided that the mathematics behind SHA algorithm arn't too bad. However, it won't offer any protection at all against network sniffing, and if the network does get sniffed between, there's a chance (I think) for the client key to be comprimised. It might help if you have a password being asked for regardless of if the hash went ok, so as to make it harder for people to know if they get the hash part right. You might want to complement this with SSL too.

Comment on Re: Security and JavaScript

Replies are listed 'Best First'.
Re: Re: Security and JavaScript by rlgarris682 (Initiate) on Apr 29, 2003 at 01:27 UTC
Right yeah actually the secret code kept in the html file is never sent as plain text only the hash of the randomly generated number and secret code is so even if a packet sniffer gets hold of the hash it wouldn't do them any good because that hash is only valid for that session and linked to the clients original ip address. The SHA1 algorithm is a 160-bit one-way encryption and is more secure than MD5.	[reply]

Replies are listed 'Best First'.

Re: Re: Security and JavaScript
by rlgarris682 (Initiate) on Apr 29, 2003 at 01:27 UTC

Right yeah actually the secret code kept in the html file is never sent as plain text only the hash of the randomly generated number and secret code is so even if a packet sniffer gets hold of the hash it wouldn't do them any good because that hash is only valid for that session and linked to the clients original ip address. The SHA1 algorithm is a 160-bit one-way encryption and is more secure than MD5.

[reply]