NYCPHP Meetup

NYPHP.org

[nycphp-talk] sessions and application security

Chris Bielanski Cbielanski at inta.org
Tue Jan 27 16:04:38 EST 2004


This was actually a unique public key *after* SSL negotiation, so you have
the SSL-secure layer to the browser, then the webapp secures the
"key-tunnel" via PGP, Blowfish, or whatever, and each transaction was
additionally secured via moving-target.

The great advantage? There are no export laws against encryption strength of
financial data. Write once, run everywhere.

~Chris

-----Original Message-----
From: Hans Zaunere [mailto:hans not junk at nyphp.com]
Sent: Tuesday, January 27, 2004 3:56 PM
To: NYPHP Talk
Subject: RE: [nycphp-talk] sessions and application security



> Only solution I've ever seen devised for this is a 
> moving-target encryption.
> Public key handshake (within SSL) leads to an ever-changing series of
> private keys devised by your own proprietary method. Every transaction
> (every page) has a new key. The numerical application is left 
> as an exercise to the reader. ;)

I had kicked around some sequencing sessions, modeled after TCP's
SYN/ACK sequence numbers - but using the SSL keys... now
that's-a-good-idea.  I'm even thinking...  depending on your platform,
you could reach down the network stack and just grab the real TCP
SYN/ACK numbers.  But probably not doable in pure PHP :)

H

_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk



More information about the talk mailing list