Application Security RRS feed

  • Question

  • I have the following problem related with securing an application.

    The app starts and creates an id that uniquely identifies the workstation, then connects to a db anc checks, using that id, if the workstation has been authorized to log in. To do this it searches whether a key exists in the db for the given id, decodes that key and sees if it matches the id. If this check does not success the app asks the user to provide a valid key, that can obtain by mailing us the given id.

    Now the problem: I want to generate the key starting from the workstation id at my site, that algorithm must be kept secret, while I'd like that the app at the customer site has a (public) algorithm to decode that key... it is the opposite situation of classical RSA encryption: I want the user to know how to decrypt but not how to encrypt...

    Anyone knows how to do ?

    « www.carlop.com × carlop-dev.blogspot.com »
    Thursday, March 13, 2008 5:33 PM


  • I think your problem you are describing is similar to signing and verifying files (digital signitures). It simply depends on which end of the rsa algorithm you are.


    If i want to send the client a value which they can verify (but cannot reproduce themselves), I can sign (=encrypt) the data using an RSA public and private key pair. The client recieves the data together with the RSA public key and performs the verification (=decrypt). They cannot reproduce the encrypted value themselves since they do not have the private key.


    For your situation, the client sends you the workstation ID which you sign(encrypt) using your RSA key pair and send back to them. Your app can have the public key hard-coded into it and can verify (decrypt) the value sent back - it should match the workstation ID.



    Also note that you are in completely the wrong forum for this as this question has nothing to do the CLR. You should check what the forum is for before posting.

    Friday, March 14, 2008 5:07 PM