Re: Cryptography problem

From: Jim Grimmett (cssjwg_at_bath.ac.uk)
Date: 06/23/04

Next message: Lassi Hippeläinen: "Re: spam list"

Previous message: Lassi Hippeläinen: "Re: Safe Passage SSH VPN for securing wireless connections?"
In reply to: Dean Hallman: "Cryptography problem"
Next in thread: Gerard Bok: "Re: Cryptography problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 23 Jun 2004 09:18:27 GMT

"Dean Hallman" <deanh@sc.rr.com> wrote in message:
>
> Basically, I have a web server that can process search strings, and clients
> that submit search strings.
>
> However, the client software must be *my* software (rich clients). I don't
> want imposters, masquerading as my software and sending search packets the
> server can't distinguish from my own

The biggest problem you have is that your client will be available 'in the
wild'.
If someone _really_ wants to use your search facilities enough they can
reverse engineer the code form the client and nothing you can do about it
can stop it completely.

What you've got to ask yourself is this: How tough do you want to make it
for these crackers to break your software?

Assuming you can come up with a secure way of transferreing the search data
(why not just piggy back the whole thing over https for a start) how are you
going
to stop them from just looking inside your client and finding out how you did
it?

You can obfusticate your code (e.g. encrypt parts of code that are decrypted in
memory), sign it, check signatures before running, etc, etc but all of this can
be circumvented by someone with enough time and patience (e.g. just put NOPs
over the top of the part that checks whether the code is signed correctly).

Just OOI why would someone use your search software over Google ;-P

Cheers, Jim Grimmett.
Systems Manager
University of Bath, Department of Computer Science.
Int: 3084, Ext: 01225 383084, Mob: 07989 595399

Next message: Lassi Hippeläinen: "Re: spam list"

Previous message: Lassi Hippeläinen: "Re: Safe Passage SSH VPN for securing wireless connections?"
In reply to: Dean Hallman: "Cryptography problem"
Next in thread: Gerard Bok: "Re: Cryptography problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: session object II
... web server does not hold a static connection with a client. ... Create a web service on the web server that will accept and return ...
(microsoft.public.dotnet.framework.aspnet)
Re: Quick Start certificate
... Where do I specify what the root path is. ... Then run the client. ... Did you give your web server identity permission to ... It's done through the certificate tool that's installed ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Quick Start certificate
... I have enabled diagnostics on the client and the web service. ... Did you give your web server identity permission to ... read the certificate on the server? ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Snort as IDS
... The snort rules are prone to false alarms. ... you need to configure it specific to each client? ... http_inspect with any profile? ... Yes, if you are monitoring your web server, you should apply those rules. ...
(Focus-IDS)
Re: Proxy Servers/Caching
... If this is a client issue, ... > I have tried about every cache control value on the web server. ... he said the initial request from the player has ... I'd go to IIS admin and the HTTP headers tab. ...
(microsoft.public.windowsmedia)