standalone has plainly readable transcript

revolution at knowledgeworks.plus.com revolution at knowledgeworks.plus.com
Fri Jun 13 19:35:01 EDT 2003


Hi Mark,

Just like I am noTranscript expert, I'm no cryptographer either :-)  

The data I wanted to protect is not 'top secret', so I didn't need 'industrial grade' encryption.  I wanted to prevent someone easily siphoning off the data in my application and producing their own version. The data could just as easily have been stored in files (in fact, is ultimately required as files), but that would have left it open to easy siphoning. 

Following the suggestions in a thread on this list called "poor man's encrypted data", I just loaded the files into custom properties of a stack, and then password-protected the stack.  The stack reverses this process and turns the resulting data back into files to be served to the browser.  Without knowing more about the encryption provided by password-protecting a stack with a password, there is no guarantee of the likely difficulty for someone who was determined to get this data out of the stack.  

I do not have to over-worry about protecting this data, as in the final analysis anyone who was determined to save each and every one of my data files locally could do so on a file by file basis. I just didn't want to make this easy for them.  (If I wanted to make it more difficult for them to extract and re-use my data I could use a Rev plug-in to display the data from the serving stack - that way they would have to hack the encryption or listen on the wire to get the data).

SSL is a planned enhancement to the Rev engine(see http://www.metacard.com/pi5.html).  That will assist in securing data in transit, but it's not clear that it would enhance the encryption of data in stacks.  I am sure that the Rev team have seen the concerns about encryption in this list and I'm hopeful that a release in the not too distant future will address this.  Something as important as encryption should not be left to users to implement for themselves (especially not in a product like Rev that aims to facilitate development at the highest level possible).

Some other cross-platform tools such as Rebol have various different encryption mechanisms built in, and I think that this should be seen as a priority for Rev too.  (I know this is the 'use-revolution' list, but it does no harm for us all to be aware of the feature-set, costs and difficulties of alternative tools, and it does Runrev no harm to be reminded of the feature-set that the competition are offering.)  Other tools like iShell and Realbasic do not appear to have any encryption facilities (I could be wrong on this - I haven't seen anything to suggest that these are built-in like with Rebol).

If you are in the process of implementing AES encryption in Rev why don't you contact them off-list to see what the official plans are for stronger encryption?  If they are not going to be implementing stronger encryption in the near future, they may be interested in working with you to incorporate your plans into Rev.

Regards,
Bernard

>>
I was wondering if you could share the solution you used to add 
encryption to your RunRev server app? I'm bringing the Blowfish 
encryption algorithm over from Lingo(Director). I was hoping to find a 
128 bit AES standard way of encrypting files. My search of the docs 
have produced nothing on this. Did you use Blowfish or some Database's 
internal encryption system to accomplish your task?
<<  




More information about the use-livecode mailing list