[erlang-questions] crypto in erlang and javascript

John Kemp <>
Fri Sep 30 18:10:18 CEST 2011


Joe,

On Sep 30, 2011, at 11:57 AM, ext Joe Armstrong wrote:

>> 
>> How will you deliver the secret key to the browser such that the JS can encrypt securely for some period of time?
> 
> I won't - The following seems ok
> 
> 1) the browser gets the RSA public key of the server. This is hard wired
> or "well known"
> 
> 2) the browser generates a random session key and encrypts it with
> the server's public key.
> 
> 3) the encrypted session key is sent to the server
> 
> 4) Only the server can decrypt this key
> 
> 5) both sides use the session key
> 
>> If you trust the server to deliver crypto code + key, why not trust the server to do
>> SSL/TLS which will require less new code?
> 
> Because I haven't implemented SSL myself :-)

Well, that is what you're doing, based on the steps you write above, but presumably with just the key parts, and no CAs or certs involved ;)

> - it's an opportunity to
> learn a bit more
> about number theory.

As long as you _want_ to re-implement SSL/TLS, then… enjoy!

Cheers,

- John

> 
> /Joe
> 
> 
> 
>> 
>> - John
>> 
>>> 
>>> Any ideas?
>>> 
>>> I want both side to be reasonably efficient with non-restrictive
>>> licenses.
>>> 
>>> /Joe
>>> _______________________________________________
>>> erlang-questions mailing list
>>> 
>>> http://erlang.org/mailman/listinfo/erlang-questions
>> 
>> 




More information about the erlang-questions mailing list