I have worked with various different kinds of computer security over the years, but I am no expert at it.
Al Rule # 1 = You cannot padlock a tent or house of cards. Security needs to be built into the foundation of the computer system, preferably via a rock solid operating system.
Al Rule # 2 = Computer data can be accessed by a variety of tools, software hardware and tapping into the flow of data. Just because the software you using cannot see the passwords or unencrypt the data flow does not mean that some other person software cannot do so.
Al Rule # 3 = It is not unusual for purchased computer systems and software to come with back doors left there by developers. You have to do business with reputable firms that do not condone such behavior.
[BlogFish] found insight in [Jon's Radio]
Use Private Keys, no - Use Public Keys, no - ....
Jon Udell is opening a can of worms, I must not look...
I always knew there were ways to encrypt information and I accepted that. Then I was assigned the task of revamping our software licensing process. This required me to choose an encryption method. Choosing an encryption method required me to justify my selection against its alternatives. Justifying my selection required me to understand both my selection and the alternatives that I did not choose.
So I did some reading, and once I understood the difference between Private Key Encryption and Public Key Encryption, I changed my mind. Public Key Encryption surely seemed like the better choice.
If some rogue ex-employee were to take the private key and issue passwords for a discounted price, we could throw out the old key pair and replace it with two new keys. Because one of the keys of the pair is public, we could simply distribute it along with the encrypted information. No need to hard-code the private key in the software, right? No need to require customers to reinstall existing software, right? No need to maintain legacy password generation programs, right? (Anyone who has done this before, please comment...please throw me a clue...)
Yes, I thought I finally had gotten it. Public Key Encryption provides more convenience, more security, more robustness than Private Key Encryption.
I am trying to resist looking at Jon Udell's post. He is questioning his long-held assumption that Public Keys were the way to go.
Remind me why I need a public key. Dick Hardt, founder and now CTO of ActiveState, was prowling around the digital ID conference asking a deceptively simple question: "Why do I need a key pair?" ... [Jon's Radio] [BlogFish]
3:37:48 AM 
|
