"[T]his is the encryption method that this program will use since it's about to go into production, so please don't suggest alternatives." With this sort or poor planning (only asking for advice after it's too late to implement any of the suggestions), I don't know what you expect to gain from posting this information here. You have obviously spent a great deal of time developing this HR system. Indeed, you have also spent much time developing your own protocol and cypher method. This is a shame. For your future reference, without trying to sound too blunt, I'm going to have to recommend that you stick to what you know, and don't try to reinvent the wheel. There are plenty of well-known, generic protocols--with secure encryption algorithms--that you could have used. They could have done a better job, and would have required ZERO development time on your part. With the variety of APIs and code libraries out there, I suspect in the length of time it took you to submit your original e-mail, you probably could have had added a reasonably-secure protocol to your system. Instead, you are now stuck with an inadequate, home-grown connection method. Oh well. Better luck with "2.0". Sincerely, Trevor Hammonds -----Original Message----- From: Bryan Ponnwitz [mailto:bponnwitat_private] Sent: Friday, 6 September 2002 9:47 AM To: secprogat_private Subject: Data Encryption I've designed an HR system for the company that I work for and part of the system is a server application which allows for program updates to be downloaded, messages to be sent to users and provides the ability to kick users. For this, I've developed my own protocol running on port 7282/tcp. Since this server is what I use for authentication, I had to build some encryption into the protocol so that usernames and passwords weren't being transmitted cleartext. My question is, how safe am I using this encryption? I've heard that homegrown encryption is asking for trouble, but it seems to me that it would be difficult to break it. In any case, this is the encryption method that this program will use since it's about to go into production, so please don't suggest alternatives; I'm only looking to evaluate the method I've developed. I've outlined my encryption methods bellow; take a look and let me know how tough you think it would be to crack. Any comments are welcome! > > > S N I P < < < Bryan Ponnwitz Webmaster - Broome-Tioga Boces bponnwitat_private (607) 763-3609
This archive was generated by hypermail 2b30 : Sun Sep 08 2002 - 10:48:40 PDT