Internal security of Rev?

John Tregea john at debraneys.com
Wed Jul 12 01:34:27 EDT 2006


Hi Brian,

I read about MD5 but thought it was a way of generating a hash string 
and using that string to check if the originating string had changed. Do 
you mean I could "un" MD5 a string like base64Decode?

I follow you though and have now planned to store the really sensitive 
keys and names of encryption methods in the database.

I do need to store one user name and password in the front end though to 
enable Rev to connect to PostgreSQL and validate the users right to log 
in to get the rest of their accreditation and permissions.

Cheers

JT

Brian Yennie wrote:
> John,
>
> Although probably at least non-trivial, Chipp is probably on to 
> something here. I don't think Rev script encryption is intended for 
> the highest possible security. More like enough to keep out anyone who 
> is *not* an expert.
>
> Is it really critical for your application to store the login 
> information, including password, on the client machine? That seems 
> like a weak point of the security regardless of what tool you use. 
> Even compiled C-code can be hacked, but it's much harder to do if the 
> login information is stored remotely.
>
> If you must store the password locally, you might look into the merits 
> of a simple MD5-based solution. That is, compute a hash of the 
> password and store that.
>
> Finally, you might consider what the other weak points are. For 
> example, unbreakable encryption will only do you so much good if you 
> then send the password over an insecure network connection. If someone 
> can just record and play back your communications, they don't have to 
> know what's actually in it to break in.
>
> As with all anti-hack measures, it will basically boil down to what is 
> enough of a deterrent that it's not worth the effort to crack. There 
> are virtually no unbreakable schemes, it's more a matter of setting 
> the bar higher than the particular would-be intruder can reach.
>
> HTH
>
>> John,
>>
>> I'm no cryptographer, but I would guess cracking Rev's password
>> protected code wouldn't be too awfully hard. Mainly this is because
>> you can expect to find multiple occurrences of strings like "on
>> mouseUp". I'm not suggesting any novice could crack it, but I imagine
>> someone with some decent tools and a bit of time could get in.
>>
>> You could probably get a more learned opinion from Dar Scott or
>> someone with more cryptography chops than I have.
>>
>> Just my opinion,
>> Chipp
>> _______________________________________________
>> use-revolution mailing list
>> use-revolution at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your 
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-revolution
>>
>>
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>



More information about the use-livecode mailing list