Quote:
Originally Posted by
jim mcnamara
Regarding keys -- When not in use (ie standing somewhere) the half-keys should be encrypted - both on the user side and the system side. Otherwise they are sitting ducks.
How does one avoid the rube goldberg problem, though? That being, extra encryption/decryption steps where the server knows its own key gains nothing but extra heat and wasted time.
Quote:
Whenever someone cracks your code for the key encryption algorithm, then they win. Period.
How so? Knowing the algorithm won't get them the keys.
Quote:
Unless forward perfect secrecy is mandated take a value-based approach.
I'm not storing financial information, it's more of an admin tool.
Quote:
If somebody can reverse engineer code, or get your source easily, then most things you can do are pointless.
Again, how? Knowing the algorithm does not hand them the keys -- it tells them what they need to steal, but does not give them access.