Security

[ConvertFromOldNGs]

by Iain S. Kerr >> Wed, 26 Jan 2000 23:27:10 GMT

Has anyone any experience setting up RSA based security systems with Jade? I wish to use very high level encryption to ensure my site is secure.

iain.kerr@ibconsultants.com.au

[ConvertFromOldNGs]

by Robert Barr >> Fri, 28 Jan 2000 0:17:51 GMT

Iain,

you are limited to a 40 bit key if you want to use browser-supported SSL to manage your key exchange and data encryption. This is considered to
be good enough for most commercial applications, though each case must
be considered in terms of the risk involved. SSL 128 bit certs are only available to financial institutions outside the US - a.k.a. military-grade encryption, 128 bit is often considered neccessary to protect financial information (though why internet traffic is so much more at risk than digital phone or radio is debatable).

Alternatively, there are many other encryption products on the market with differing encryption strengths, and for differing levels of investment. Try a web search for PGP-based products (pretty good privacy). However they are not supported by browsers, so involve
download and configuration of a client-side binary by the user - usually a plug-in of some sort. They sometimes have problems behind company firewalls, and cetain ISP setups, or can upset other communications configurations on the client.

Hope this helps.

Rob

[ConvertFromOldNGs]

by Wilfred Verkley >> Thu, 10 Feb 2000 22:59:04 GMT

40-bit is not good enough for any sort of commercially sensitive Information, most security experts (which im not) will tell you. It may make your site slightly more secure against casual eavesdropping, but not against a determined attacker.

US Encryption Export laws are changing however, so it is likely 128-bit encryption will be more easily available outside America (in the next W2K?), which is good enough for any commercial application.

There are browsers (ie opera, mozilla) and web servers (ie apache) available outside America that will support 128-bit SSL, but you wont be able to host jade applications on them. There are workarounds in IIS too, but the practicality (and legality) of these are questionable.

[ConvertFromOldNGs]

by John Campbell >> Tue, 29 Feb 2000 3:55:47 GMT

The US have in fact relaxed the encryption rules such that 128 bit and greater are now exportable (except to a few countries). However as both IE and Netscape International versions will not support standard 128-bit you are still limited to SGC (Server Gated Cryptography) in reality until such time that the majority of people wishing to access your site have a true 128-bit capable browser. Given that the rules for 128-bit are relaxed then I imagine SGC 128-bit should be more freely available shortly (it is currently limited to 'electronic commerce providers' whatever that means). Suggest you visit www.verisign.com where they normally have a good explanation of all this stuff, otherwise Microsoft have some stuff.