Security Basics mailing list archives
RE: Encryption Key Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 4 Mar 2005 10:00:04 -0800
-----Original Message----- From: David Heise [mailto:dheise () gmail com] Essentially its not about the user, its about the software. I want to ensure that only my software can talk to my webservice and vice versa. I don't care about the user, or who is using it, but the application. So, the thought is to have a unique method of sending and recieving data...namely encryption. The user will supply credentials and authenticate on top of this extra layer.
That's a seriously intractable problem. You can establish, cryptographically, whether the client process knows your key or not, but that's not sufficient to establish whether the client process is, in fact, running an unmodified image of your software. The usual ways to check for image modification, such as hashes, require access to the image itself to verify -- and there's no assurance that the image a process offers for verification is actually the image that is running. Smart cards and tokens address a similar problem. But an important element of those solutions is that they're sealed in a pretty much tamper-proof piece of hardware -- and your application isn't. Counterfeiting a smart card or token is hard; imitating or cloning the part of your software that verifies its legitimacy will be considerably easier. MAYBE you can make it more effort than the information you want to safeguard is worth, but that's a big IF. David Gillett
Current thread:
- Encryption Key Question David Heise (Feb 28)
- RE: Encryption Key Question David Gillett (Feb 28)
- Re: Encryption Key Question David Heise (Feb 28)
- RE: Encryption Key Question blind_chipmunk (Mar 01)
- RE: Encryption Key Question Alexander Klimov (Mar 02)
- Re: Encryption Key Question David Heise (Feb 28)
- RE: Encryption Key Question David Gillett (Feb 28)
- Re: Encryption Key Question Zaven (Mar 03)
- <Possible follow-ups>
- RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
- Re: Encryption Key Question David Heise (Mar 04)
- RE: Encryption Key Question David Gillett (Mar 04)
- Re: Encryption Key Question David Heise (Mar 04)
- RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
- RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
- Re: Encryption Key Question Dr. S. A. Vetha Manickam (Mar 04)