in reply to Perl & Java -- Can they keep a secret?

<gripe>

"There's a right way to do it, but it's too much work, so please provide me with an adequate excuse to do it the wrong way."

</gripe>

Any time you blast a login/password into the clear, you run the risk of it being captured by someone sitting in a server room, or just sitting in another cube with a sniffer, or a freeware program that turns a PC into a sniffer(It uses a feature on most network interface cards called 'promiscuous mode').

I believe, and anyone who knows differently please correct me if I'm wrong, that one of the features of SSL is that is uses a Secure Key Exchange algorithm. This is a mathamatical 'trick' whereby both you and your 'peer' generate two large random numbers, each transmits one of these numbers to the other, and derives a third number that's the same on both ends, but was never transmitted in the clear. This number becomes the basis for your cipher keys that you then use for the rest of your session.

Update: Reference to a text that includes Secure Key Exchanges

Applied Cryptography

  • Comment on Re: Perl & Java -- Can they keep a secret?

Replies are listed 'Best First'.
Re: Re: Perl & Java -- Can they keep a secret?
by Flame (Deacon) on Nov 17, 2003 at 22:08 UTC

    I'm not entirely sure how to take that top part. If you were attempting to describe me... I think I'm insulted, otherwise just confused. As to your concern about broadcasting passwords in the clear... well that's what I'm attempting to avoid. Yes the server and the user both have an unencrypted form, but I don't believe it would be so simple to break into the database and steal it.

    So, overall I'm not entirely sure what your point was, so I guess I'll just file it under an endorsement of SSL.




    My code doesn't have bugs, it just develops random features.

    Flame

[reply]

In Section Seekers of Perl Wisdom