Re: NSConnection timeouts
Re: NSConnection timeouts
- Subject: Re: NSConnection timeouts
- From: Andrew Farmer <email@hidden>
- Date: Thu, 16 Aug 2007 13:49:36 -0700
On 16 Aug 07, at 04:53, Andrew James wrote:
On 16/08/2007, at 6:41 AM, Andrew Farmer wrote:
If you're after encrypting network traffic, I recommend OpenSSL.
While TEA is a reasonable encryption algorithm (provided that
you're aware of the cryptanalytic attacks against it), it makes no
provision for key exchange or authentication - all things you'd
want to do for "network encryption". Even if you're just
interested in encrypting local data, OpenSSL has a large library
of cryptographic primitives.
The problem with OpenSSL is that my applications server and client
are available for everyone, so the data would be unsecure as
everyone would have the private keys.
Security by obscurity is a terrible way to approach things - if all
it takes is one person reverse-engineering your program to make it
insecure, your program was never secure to start with. Worse yet, the
architecture you're describing would mean that, once someone managed
to extract the encryption key from your program, they would be able
to read all data encrypted by that program, forever. This is Bad.
True security does not depend on secrets. And in this case, there's
an appropriate solution available as well: on the first launch, have
the server generate a self-signed SSL certificate. Then use OpenSSL
to negotiate encryption between the client and the server. As part of
this negotiation, it'll generate a unique session key to encrypt that
session. Note that at no point does this system depend on anything
that's constant between every instance of the application! The only
nontransient secret is the server private key, and you could even
regenerate that at startup if you wanted to.
If all this sounds complicated -- well, it is. But most of the heavy
lifting is done for you by the OpenSSL library, and there's a lot of
open-source applications that use it which you can use as examples.
I'll close with a quote here: "Cryptography is not magic pixie dust
that you can sprinkle on a problem and make it secure." (Jon Callas)
Hopefully all this is a help to someone. :)
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden