RE: Data Encryption

From: Trevor G. Hammonds (trevorat_private)
Date: Fri Sep 06 2002 - 16:49:56 PDT

Next message: Allan Jensen: "Re: The risks of client systems writing to server registry"

Previous message: Dragos Ruiu: "Re: Data Encryption"
In reply to: Bryan Ponnwitz: "Data Encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"[T]his is the encryption method that this program will use since it's
about to go into production, so please don't suggest alternatives."

With this sort or poor planning (only asking for advice after it's too
late to implement any of the suggestions), I don't know what you expect
to gain from posting this information here.  

You have obviously spent a great deal of time developing this HR system.
Indeed, you have also spent much time developing your own protocol and
cypher method.  This is a shame.  For your future reference, without
trying to sound too blunt, I'm going to have to recommend that you stick
to what you know, and don't try to reinvent the wheel.  There are plenty
of well-known, generic protocols--with secure encryption
algorithms--that you could have used.  They could have done a better
job, and would have required ZERO development time on your part.  With
the variety of APIs and code libraries out there, I suspect in the
length of time it took you to submit your original e-mail, you probably
could have had added a reasonably-secure protocol to your system.
Instead, you are now stuck with an inadequate, home-grown connection
method.

Oh well.  Better luck with "2.0".  


		Sincerely,
		Trevor Hammonds


-----Original Message-----
From: Bryan Ponnwitz [mailto:bponnwitat_private] 
Sent: Friday, 6 September 2002 9:47 AM
To: secprogat_private
Subject: Data Encryption


I've designed an HR system for the company that I work for and part of
the system is a server application which allows for program updates to
be downloaded, messages to be sent to users and provides the ability to
kick users.  For this, I've developed my own protocol running on port
7282/tcp.  Since this server is what I use for authentication, I had to
build some encryption into the protocol so that usernames and passwords
weren't being transmitted cleartext.  My question is, how safe am I
using this encryption?  I've heard that homegrown encryption is asking
for trouble, but it seems to me that it would be difficult to break it. 
In any case, this is the encryption method that this program will use
since it's about to go into production, so please don't suggest
alternatives; I'm only looking to evaluate the method I've developed. 
I've outlined my encryption methods bellow; take a look and let me know
how tough you think it would be to crack.  Any comments are welcome!

> > >   S N I P   < < <

Bryan Ponnwitz
Webmaster - Broome-Tioga Boces
bponnwitat_private
(607) 763-3609

Next message: Allan Jensen: "Re: The risks of client systems writing to server registry"
Previous message: Dragos Ruiu: "Re: Data Encryption"
In reply to: Bryan Ponnwitz: "Data Encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 08 2002 - 10:48:40 PDT