Distributing user-developed Linux software and licensing issues.
Markku Kolkka
markkuk at tuubi.net
Thu Jan 19 07:27:28 UTC 2006
Runesabre kirjoitti viestissään (lähetysaika torstai, 19.
tammikuuta 2006 01:10):
> I'm not a security expert so I'm learning as I go.
> What I can't really understand is how a client-side
> application can be completely open source and secure
> at the same time without giving away its encryption
> techniques.
The client is Open Source, secure, _and_ it "gives away" the
encryption techniques. All encryption algorithms in general use
are based on publically released standards like RSA, DES or AES
so no additional security is gained by trying to keep program
function hidden. Since late 19th century, security of encryption
systems is evaluated based on Kerckhoffs' law: a cryptosystem
should be secure even if everything about the system, except the
key, is public knowledge.
( http://en.wikipedia.org/wiki/Kerckhoffs%27_law )
> I can't afford for every customer to be
> issued a SecureId fob like I used in the workplace and
> any secret "key" transmitted over the 'net can simply
> be intercepted and used with full knowledge of how the
> key works since access to the source code is
> available. My customers aren't locked to using their
> account from a specific machine.
Google for "secure key exchange". You're not the first with this
problem, and tested solutions exist.
> Do open source web servers include the full source to
> their encryption routines? What about SSL? Is the
> source to SSL open to the public?
Yes and yes.
--
Markku Kolkka
markku.kolkka at iki.fi
More information about the fedora-list
mailing list