[Project_owners] Protecting a Shared Secret

Eric H. Jung grimholtz at yahoo.com
Thu May 25 08:03:43 EDT 2006


Brian,

You should look into Diffie-Helman Key Exchange 

>From http://en.wikipedia.org/wiki/Diffie-Hellman:

"Diffie-Hellman (D-H) key exchange is a cryptographic protocol which
allows two parties that have no prior knowledge of each other to
jointly establish a shared secret key over an insecure communications
channel. This key can then be used to encrypt subsequent communications
using a symmetric key cipher."

The salted hash idea isn't a good one IMHO because all an attacker
needs is the salted hash to impersonate you. That can be retrieved
and/or calculated from the source in the same way a hard-coded secret
key can.

-Eric


--- Michael Johnston <special.michael at gmail.com> wrote:

> does licensing require that you make efforts not to leave the key
> readable?
> if not it's not your problem, it's the person who designed such a
> flawed API access restriction
> 
> On 5/25/06, Brian King <brian at mozdev.org> wrote:
> > Jippen wrote:
> > > Why not use a one-way hash of the secret? Say, md5 and salt the
> thing,
> > > then compare it with a hash stored on the machine. If it is good,
> send
> > > out the hash to the server, who does the same thing.
> >
> > Well, for one thing, the API is 3rd party so we have no control of
> the
> > server code.
> >
> > --
> > Brian King
> > www.mozdev.org - free project hosting for the Mozilla community
> > _______________________________________________
> > Project_owners mailing list
> > Project_owners at mozdev.org
> > http://mozdev.org/mailman/listinfo/project_owners
> >
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> http://mozdev.org/mailman/listinfo/project_owners
> 



More information about the Project_owners mailing list