Comments on: Registration Schemes: Asymmetrical Cryptography

By: Ken

Ken — Thu, 15 May 2008 15:39:22 +0000

Hi Kenneth:
I found this very useful. Thanks for sharing!
Sorry to hear about your computer; hope it’s back soon.
-Ken

By: kenneth

kenneth — Thu, 01 May 2008 12:35:04 +0000

David, this blog is pretty much on pause at the moment, along with everything else I do except support, right now… Main computer blown up by the morons at Eskom, waiting for it to come back for repairs…

By: David M

David M — Thu, 01 May 2008 04:08:34 +0000

You’ve got me hooked. Where’s part three? I’m going to be needing to implement something pretty soon.

Thanks

By: kenneth

kenneth — Sun, 06 Apr 2008 14:04:00 +0000

Devon, thanks, this was indeed a horrible typo… You’re right, it is the public key that should be in the application!

And indeed, checking the framework against a hash is a very good idea, and every AquaticPrime app should do that.

By: Devon

Devon — Sun, 06 Apr 2008 13:36:16 +0000

Just a typo:
“You then verify that the signature is valid using the private key in your app.” Should be public key not private key embedded in your shipping app.

I think you could improve the security of the Aquatic Prime framework by implementing a hash check in your application. Perform a hash of the whole framework with your favourite hash like SHA1 (MD5 is not secure enough). Embed this hash in your application and obfuscate it if you want so patching the binary is harder. When your app launches it checks the hash of the included framework against it’s own hash and would not work if someone tried to replace the framework.

I’m sure people might still find a way around that but it would be harder than just replacing a framework.