It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Yes but it has it's many flaws. If one of the many certificate authorities are compromised (and it has happened before) all hell can break loose. Plus there's a lot of evidence that the certificate authorities are working with government agencies to decrypt user connections. This model I suggest is much more decentralized and gives the power back to the user in the same way that the model you described does.
User/server encryption is my plan. User to user would be peer to peer and my suggestion has nothing to do with that. I plan to use public key cryptography to establish a secure line of transmission between the server and browser. Most of the page can be sent unencrypted by the sensitive stuff can be encrypted. One of the main problems with the https protocol is the amount of overhead wasted by encrypting everything when only certain things such as password transmissions need to be encrypted.edit on 24/2/2013 by ChaoticOrder because: (no reason given)
User/server encryption is my plan. User to user would be peer to peer and my suggestion has nothing to do with that. I plan to use public key cryptography to establish a secure line of transmission between the server and browser
another interesting idea is the public/ private key combination becomes the public key for a second public/private key pair,
another interesting idea is the public/ private key combination becomes the public key for a second public/private key pair,
I do have some concerns about this one. Public / private keys work because the private key remains private. If this private key is going to even briefly made public the whole encryption process is exposed. There is a lot of complex math going on and does come down to the implementation as our words and understanding can have limitations in describing the actual specifics.
As for how public / private key combinations are derived, if it is easy to define the private key from this secondary key pair, then it is also easy to hack and break. It is very easy to end up with a convoluted mess as it is very difficult to balance security with usability. Personally I would only use the tools as they are designed and avoid this reuse. I am not sure on the recursive capabilities of public/private keys and would want it thoroughly investigated before putting any weight on it. Maybe it is possible with a few tweaks, maybe it is not.
I am not sure on the recursive capabilities of public/private keys and would want it thoroughly investigated before putting any weight on it. Maybe it is possible with a few tweaks, maybe it is not.
where large complex equations would create to much overhead "locally" but the second round of encryption (on the server) can handle much larger operations.
Originally posted by XPLodER
the fact that this technology doesn't require a "local install" of software also means that you are not required to know "how" complex encryption works, and also means that you dont need to know "how" to set it up to be secure.
so how does it work,...snip
Originally posted by HattoriHanzou
reply to post by XPLodER
Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.
Originally posted by HattoriHanzou
reply to post by XPLodER
Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.
Although Twitter is looking for an engineer to implement two-factor authentication for its users, it still won't prevent a repeat of the recent attack that saw 250,000 users exposed, according to OneID founder Steve Kirsch.
Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users' accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won't prevent the attack from occurring.
While not dismissing two-factor authentication systems' effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn't do much for improving overall security.
Originally posted by XPLodER
Originally posted by HattoriHanzou
reply to post by XPLodER
Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.
Although Twitter is looking for an engineer to implement two-factor authentication for its users, it still won't prevent a repeat of the recent attack that saw 250,000 users exposed, according to OneID founder Steve Kirsch.
Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users' accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won't prevent the attack from occurring.
While not dismissing two-factor authentication systems' effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn't do much for improving overall security.
www.zdnet.com...
the lesson is if it is to hard to use, nobody will use it,
you sound more concerned with advertising revenue than keeping personal identifying information secure,
while i understand a web sights need to make money that should not be a the cost of personal privacy.
you dont seem to understand how UCE works and yet claim bingo,
well if you can tell the difference in security terms from centrally managed passwords, and user controlled passwords and why the model is vastly different then im sure explaining it to you would be as useful as playing a game of bingo with a chicken.
feel sorry for advertisers and not users, i think you have your priorities in the wrong place.
xploder
where large complex equations would create to much overhead "locally" but the second round of encryption (on the server) can handle much larger operations.
To really beef up security, instead of moving towards more complex algorithms, move towards longer keys. The one time pad is the most secure encryption available as the key is as long as the message. Even with a fast and simple XOR encryption it is impossible to crack as long as a truly random source is used. It does add more overhead to memory, but not processing. This is why I expect there have been national security limits on the key lengths used with encryption.
While such a technique does have its place in some situations, it also has some problems in maintaining and protecting the keys as they can become quite large if a lot of data is encrypted. It is not the kind of thing your average computer user wants to contend with as any mistakes can suddenly make the whole lot unreadable.
One future concern I do have for processor intensive encryptions like Blowfish and others is with how Rainbow tables are becoming a growing business for quickly defeating hashes. MD5 is now rendered obsolete for any security functions due to this, but still works ok for file verifications. With enough computing resources it will become feasible, maybe even profitable for similar tables to help beat other commonly used encryption methods as well. Just keep a heads up with any methods employed as it is a dynamic environment.
One thing I have found with programming, the clearer you can define what you want the better your chance in getting it.
Originally posted by HattoriHanzou
reply to post by XPLodER
The problem is that the private data - user / pass pair - is part of the total data package that is desired by the people operating these free services.
We already have one-way hashing as a way to protect passwords, and SSL / HTTPS is still good enough for protecting data in transit.
Frankly this sounds like a new buzzword which is being promoted. Also, no mention of the algorithm? No analysis by cryptographers? Without those things this is a non-announcement.
Heh, you don't understand how these big web sites think. Their users are their PRODUCT. For this magical UCE technology to be put in place, you have to show a benefit for the site owners AND the users. If there is anything that impacts Twitter or Facebooks chances of seeing the user's private data, they will not implement it.
I don't feel sorry for the users of most web sites. They are usually oblivious and oblivious people do not deserve pity. And the site owners? I have been in a war with them for a decade, blocking their ads and cross site tracking schemes that they all seem to favor.
Originally posted by th3dudeabides
reply to post by XPLodER
I really appreciate your posting this topic. I think that this tech. would frustrate TIFA efforts internally and could also be abused to allow terrorists to communicate overseas without the hassle of having to use code words. As far as identity theft goes though, it appears to be fix-all.