[nycphp-talk] sessions and application security
Chris Bielanski
Cbielanski at inta.org
Tue Jan 27 16:04:38 EST 2004
This was actually a unique public key *after* SSL negotiation, so you have
the SSL-secure layer to the browser, then the webapp secures the
"key-tunnel" via PGP, Blowfish, or whatever, and each transaction was
additionally secured via moving-target.
The great advantage? There are no export laws against encryption strength of
financial data. Write once, run everywhere.
~Chris
-----Original Message-----
From: Hans Zaunere [mailto:hans not junk at nyphp.com]
Sent: Tuesday, January 27, 2004 3:56 PM
To: NYPHP Talk
Subject: RE: [nycphp-talk] sessions and application security
> Only solution I've ever seen devised for this is a
> moving-target encryption.
> Public key handshake (within SSL) leads to an ever-changing series of
> private keys devised by your own proprietary method. Every transaction
> (every page) has a new key. The numerical application is left
> as an exercise to the reader. ;)
I had kicked around some sequencing sessions, modeled after TCP's
SYN/ACK sequence numbers - but using the SSL keys... now
that's-a-good-idea. I'm even thinking... depending on your platform,
you could reach down the network stack and just grab the real TCP
SYN/ACK numbers. But probably not doable in pure PHP :)
H
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk
More information about the talk
mailing list