socketServer questions
rbt
rbt at athop1.ath.vt.edu
Mon Oct 10 08:44:44 EDT 2005
On Sat, 2005-10-08 at 14:09 -0700, Paul Rubinhttp: wrote:
> rbt <rbt at athop1.ath.vt.edu> writes:
> > Off-topic here, but you've caused me to have a thought... Can hmac be
> > used on untrusted clients? Clients that may fall into the wrong hands?
> > How would one handle message verification when one cannot trust the
> > client? What is there besides hmac? Thanks, rbt
>
> I don't understand the question. HMAC requires that both ends share a
> secret key; does that help?
That's what I don't get. If both sides have the key... how can it be
'secret'? All one would have to do is look at the code on any of the
clients and they'd then know everything, right?
> What do you mean by verification?
I'm trying to keep script kiddies from tampering with a socket server. I
want the server to only load a valid or verified string into its log
database and to discard everything else.
Strings could come to the socket server from anywhere on the Net from
any machine. This is outside my control. What is there to prevent a
knowledgeable person from finding the py code on a client computer,
understanding it and then being able to forge a string that the server
will accept?
Does that make sense?
More information about the Python-list
mailing list