Re: Data Encryption

Date: 09/07/02

To: secprog@securityfocus.COM
Date: Fri,  6 Sep 2002 23:14:56 +0100 (BST)

Bryan Ponnwitz wrote:

> I'm only looking to evaluate the method I've developed.

There have been other replies I need not duplicate.

> The protocol is setup so that the first four bytes of any transfer are
> signaling data. Packets can be more than 4 bytes depending on what is
> in the signaling data, but 4 bytes is the minimum; for instance:
> EC 03 00 00 is the data you would send to the server to login. After

There's a reason why lots of common protocols use text strings such
as USER and PASS - they are easy to remember and test with readily-
available tools. Simplicity and testability are good. It's also
common for servers to respond with numbers prefixing their text responses:
2xx for success, and so on. See rfc977 or several others.

If you're passing strings around with lengths then there's a format
documented by Bernstein you might consider.

I don't know what the VB string handling functions are but something
similar to C's fgets() is what I would want. There should be no chance
to write outside the memory reserved for data even if the size data
supplied is misleading, negative or in any way strange.