PM protection

Started by rmb, April 14, 2005, 01:32:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

rmb

April 14, 2005, 01:32:34 AM
I'm sorry, my english is reather poor. I hope that you'll understand me.

I belive that text in PM's in database must be encrypted. I do not heave enough knowledge or skills to make such mode, so I hope that somebody will read this message and will make such mod.

Thantos

#1
April 14, 2005, 01:47:21 AM
Would it be too much irony if I wrote this mod?

Now the questions that come to mind: 
What type of encryption scheme?
Where would the key be stored?
What would the key be based off of?
What laws would impede or limit it (and yes there are laws both US and international)?
What is the average airspeed velocity of an unladen swallow?
What copyrights or patents would interfer?

Villesa

#2
April 14, 2005, 02:26:55 AM
Why would they need to be encrypted? Only site owner is able (or anyone with sql access) to read them. Are you reading your members mail? I don't know any admins who would even think of reading those. Any admin with even a little sense of honor wouldn't do it.
You'll get the idea

I'm all ok.

rmb

#3
April 14, 2005, 04:16:32 AM Last Edit: April 14, 2005, 04:23:57 AM by rmb
Quote from: MikeMill on April 14, 2005, 01:47:21 AM
Would it be too much irony if I wrote this mod?

Mike, I don't think that it would be ironic if you wrote this mode..  I belive that this will be great and also very important mode.

I'm not programer, I do not heave enough knowledge and skills, so do not ask me to answer on your questions...  ;D I belive that such option was integrated in IBF (I used before SMF)


QuoteAre you reading your members mail? I don't know any admins who would even think of reading those. Any admin with even a little sense of honor wouldn't do it.

I do not read members mail... My point is: if there is any chance that somebody use their privileges, close that chance! I belive that my suggestion will made SMF better, more secure and also more popular... Privacy is for me, I belive also for you all, very important value.

Thantos

#4
April 14, 2005, 09:08:12 AM
Well unfortuantly I'm not a cryptologist so I would not even attempt to write a new algorithm.
There are a bunch of problems the biggest (IMO) is the key.  For those who aren't fimilar with the term, the key is what "locks" and "unlocks" the encrypted message.  While an algoirthm can be open for the world to see, the key needs to be guarded.
So considering we want the messages guarded so that the admin can't read them it can't be stored on the server.
That means it'd have to be stored client side.  So how will the receiver known what the key?  What if they change computers?
Well you could use a public key/ private key type of deal.  But what about people who don't have thier keys?  How would the user be able to tell the server their private key without compromising it?

IMO there are too many "what if"s and relies heavily on intelligent users.  Also there are quite a few legal ramifications to consider when dealing with encryption.
But if anyone else wants a go be my guest...

Midgard

#5
April 14, 2005, 09:09:55 AM
maybe, md5 >:(

oh no, impossible...

[Unknown]

#6
April 14, 2005, 09:17:37 AM
Ah, I remember cyphers.  I use to study them when I was in elementary school.  The longer, the better.  You just roll up one letter by the number of another... e.g. "ABC" in the code "ABC" would be "ACE".

One idea would be to ask them for a password, e.g. "cat".  Then, md5 the password and use it as the rolling key:

This is a message which will be encrypted by using ord on the two characters
d077f244def8a70e5ea758bd8352fcd8d077f244def8a70e5ea758bd8352fcd8d077f244def8
and then rounding, etc.  It can be reversed with the key, but is difficult
a70e5ea758bd8352fcd8d077f244def8a70e5ea758bd8352fcd8d077f244def8a70e5ea758
to decypher and gets more difficult with longer keys - 32 characters
bd8352fcd8d077f244def8a70e5ea758bd8352fcd8d077f244def8a70e5ea758bd83
shouldn't be too bad.
52fcd8d077f244def8a70

Best of all, MySQL has ENCRYPT and DECRYPT functions which, I would guess, do exactly what's described above.

-[Unknown]

Thantos

#7
April 14, 2005, 09:30:46 AM
How would the recieptient know what the password is then [unknown]?

[Unknown]

#8
April 14, 2005, 09:35:50 AM
Well, in that case you'd have to store a copy of each message in the im_receipients table, and only encrypt it upon reading.

There's no clean way to do that part, which is why I've never been interested in doing so.  I was just talking about the cyphering concept of it all.

-[Unknown]

Thantos

#9
April 14, 2005, 09:38:46 AM
Well the cyphering part is the easist part.  Its the key that becomes the real pain.

[Unknown]

#10
April 14, 2005, 09:53:44 AM
The point I was trying to get across is you could have decent security without using public/private keys.  And, you're going to have to have user input.  There's no other way.  You also made it sound like you weren't sure on how to exactly encrypt them, so I made a suggestion.  The obvious problem is how to encrypt it upon sending, before it is read...

Well, without contact from the receiving member, you can't.  Even with private/public key pairs, you can't.  Those depend on the internet being available, and both parties being able to dance the tango.  You can use a shared key, or a key based off the ID_PM of the pm, but that still makes it reversable quite easily.

You'd also, as you noted, have to take the pm off the instant_messages table.  It really can't be secured there, except with a shared key type system.  If you have to have it readable by more than one person, it's possible it can be readable by all.

-[Unknown]
Print
Go Up Pages1
User actions
Advertisement: