Ian Clysdale (iancly@entrust.com)
Wed, 17 Jun 1998 12:18:43 -0400
Use a passphrase that the applet prompts for as a key? As a general rule,
hardcoded keys are a "BAD IDEA" (tm).
ian
> ----------
> From: Victor Emanuel Luz[SMTP:victorluz@inetd.pt]
> Sent: Wednesday, June 17, 1998 8:01 AM
> To: CodherPlunks@toad.com
> Subject: Java key hiding stealth method.
>
> Hi.
>
> I've been trying to use a Blowfish Java implementation by Markus Hahn
> ( http://www-hze.rz.fht-esslingen.de/~tis5maha/software.html ) to
> encrypt a small amount of data (less than 256 bytes) whith a 80 bit
> secret key.
> The communication is made from a Applet to a Servlet using simmetric
> encryptation.
> The info that I am trying to encrypt has a valid time of about two
> monthes and it is _not_ too sesitive.
>
> Problem:
>
> Even devius stealth methods are quite simple do declassify the applet
> and gain access to the secret key or function to generate key see
> http://www.awesome.com/declass.html (it's free!) for details.
>
> Does anyone has some clue on how to defeat this ?
>
> Thanks,
> Victor.
>
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:18:36 ADT