Anders, what's wrong with SSL? It uses both the cipher suites you mention (DES is no longer deemed "secure" by the way, 3DES is the way to go, and you can't use DES on its own, since you need to exchange your private keys somehow, hence they must encrypted with a public key). 3DES is faster than RSA.
Authentications supported by SSL: v2 - RSA or X.509 certs v3 - anonymous Diffie-Hellman Encryption supported by SSL: v2 - 40 bit RC2, RC4 v3 - 56 bit DES-CBC, 128 bit RC2, RC4, 3DES CBC 168-bit MAC supported by SSL v2 - MD5 v3 - SHA If you insist on doing it yourself, then Public Key cryptography is a good method for a one time only (ie send the password once and your done). If however you will be repeatedly sending encrypted data then you may find that a combination of public key and private key may be a better bet. All public key encryption is computationally intensive, with a combination, you can take the SSH approach and use public key to negotiate a private key between client & server and use this for the remainder of the session. However SSL does all this for you. I'd therefore suggest SSL. Both methods allow you to not worry about the fact that it is calculated client-side, since a good crypto suite should not be compromised simply by having the algorithm available. In fact, for a secure connection, at least some of the work must be done at the client end. Hope that helps! :) Cheers Ross > -----Original Message----- > From: Svensson, B.A.T. (HKG) [mailto:[EMAIL PROTECTED]] > Sent: 10 June 2002 14:49 > To: Php Win32 list > Subject: [PHP-WIN] How to pass passwd Server <-> Client in a "secure" > way > > > Dear Mr/Miss/Mrs/Madam/Sir All, > > I am currently thinking of how to transport the passwd between > the database and the client. One suggestion would be to use a > one pad chipper, but this is pointless if I want to update > the passwd: the key has to be distributed. So I was thinking > of using a public key system , for example RSA (would DES take > to long time?). > > But before I start all this implementation, I wonder what other > kinds of solution other might have been using - I would prefer > not to have scripts running on the client side, but a public > key system force me to do this. (And I can use php, so it > pointless to refer to any php specific methods.) > > //Anders > > -- > PHP Windows Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
