Internal security of Rev?

Brian Yennie briany at qldlearning.com
Tue Jul 11 23:55:04 EDT 2006 

John,

Although probably at least non-trivial, Chipp is probably on to 
something here. I don't think Rev script encryption is intended for the 
highest possible security. More like enough to keep out anyone who is 
*not* an expert.

Is it really critical for your application to store the login 
information, including password, on the client machine? That seems like 
a weak point of the security regardless of what tool you use. Even 
compiled C-code can be hacked, but it's much harder to do if the login 
information is stored remotely.

If you must store the password locally, you might look into the merits 
of a simple MD5-based solution. That is, compute a hash of the password 
and store that.

Finally, you might consider what the other weak points are. For 
example, unbreakable encryption will only do you so much good if you 
then send the password over an insecure network connection. If someone 
can just record and play back your communications, they don't have to 
know what's actually in it to break in.

As with all anti-hack measures, it will basically boil down to what is 
enough of a deterrent that it's not worth the effort to crack. There 
are virtually no unbreakable schemes, it's more a matter of setting the 
bar higher than the particular would-be intruder can reach.

HTH

> John,
>
> I'm no cryptographer, but I would guess cracking Rev's password
> protected code wouldn't be too awfully hard. Mainly this is because
> you can expect to find multiple occurrences of strings like "on
> mouseUp". I'm not suggesting any novice could crack it, but I imagine
> someone with some decent tools and a bit of time could get in.
>
> You could probably get a more learned opinion from Dar Scott or
> someone with more cryptography chops than I have.
>
> Just my opinion,
> Chipp
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>

More information about the use-livecode mailing list