solution please

> hi,

>

> I have one business issue try to solve.

>

> To simply put in english, I have two sepearate

> websphere servers and I need to pass a string between

> them. I would like to encrypt the string and then

> decrypt on the other side.

>

> I would like the keys to be only known to the servers

> but no body else. What is the best way to solve this

> issue. The server communication between them is

> already https.

>

> Thanks in advance

If the string is small, use a public-key algorithm.

If it's big, use a public-key algorithm to pass a secret key and then use the secret key to pass the data.

If this isn't a one-op thing, and you actually want to make a secure system, then you have a lot of reading to do.

May I suggest Practical Cryptography to start off your reading list.

~Cheers

Adeodatusa at 2007-7-10 3:42:41 >

> I am doing some reading already. Can we use user

> defined key with blowfish algorithm?.

Yes. Depending on the implementation, that is. Although I hope there aren't many out there that don't allow it.

> I mean can we use predefined key pairs on both sides,

> rather than generating the key every time?.

It's certainly okay to use the same key over a series of communications, but using it over a prolonged period of time is just asking to have it stolen.

~Cheers

Adeodatusa at 2007-7-10 3:42:41 >

> I agree with you but we are implmenting SSO soon.

> This is just a patch for now.

Ah, so quickly-put-together halfway security is better than none at all. That's always nice to know.

> One more question, I am looking at the blowfish

> exmaple and looks like the key is an object but not a

> text or binary key.

>

> Do you know how can I get a key out of the key object

> and store on file etc on the server?.

>

> Do I need to serialize the key object itself?

Keys are serializeable. Just use an ObjectOutputStream.

~Cheers

Adeodatusa at 2007-7-10 3:42:41 >