Return-Path: <sherzodr@cgi101.com>
Received: from new.cgi101.com (cgi101.com [209.189.198.102])
	by isi1.istrat.com (8.11.6/8.11.6) with ESMTP id fBAILde05430
	for <tommy@atrixnet.com>; Mon, 10 Dec 2001 12:21:39 -0600
Received: from new.cgi101.com (localhost [127.0.0.1])
	by new.cgi101.com (8.12.1/8.12.1/Debian -2) with ESMTP id fBAIXqV9008593;
	Mon, 10 Dec 2001 12:33:52 -0600
Received: from localhost (sherzodr@localhost)
	by new.cgi101.com (8.12.1/8.12.1/Debian -2) with ESMTP id fBAIXq6c008589;
	Mon, 10 Dec 2001 12:33:52 -0600
X-Authentication-Warning: new.cgi101.com: sherzodr owned process doing -bs
Date: Mon, 10 Dec 2001 12:33:52 -0600 (CST)
From: sherzodR <sherzodr@cgi101.com>
To: Tommy Butler <tommy@atrixnet.com>
cc: CGI List <cgi-list@jann.com>
Subject: RE: [CGI] CGI-Authentication ( tutorial )
In-Reply-To: <KEECIMBEALEHNKGAACNKAECHCFAA.tommy@atrixnet.com>
Message-ID: <Pine.LNX.4.33.0112101224050.7805-100000@new.cgi101.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:


NIce thing, Tommy.
I have one note tho. You mentioned transfering encrypted data over non-ssl
protocol right? Since the encryption you mentioned is taking place on the
server, the client's message still needs to travel over the network in
non-encrypted form, right? Doesn't it defeate the  whole purpose of
encryption?

Another note I have is, my tutorial and CGI::Session doesn't claim to
implement any kind of encryption. It just teaches a "Session based Active
client identification (Authentication?) method". It's just an algorithm
implemented by those register/login featured sites (ex., webmail)

And I am just looking for some conributions off your experience and/or
comments


Thanks for your time  tho, Tommy



Tommy Butler wrote:

 TB: Date: Mon, 10 Dec 2001 12:22:18 -0800
 TB: From: Tommy Butler <tommy@atrixnet.com>
 TB: To: CGI List <cgi-list@jann.com>
 TB: Cc: sherzodR <sherzodr@cgi101.com>
 TB: Subject: RE: [CGI] CGI-Authentication ( tutorial )
 TB:
 TB:
 TB  : -----Original Message-----
 TB  : From: owner-cgi-list@jann.com [mailto:owner-cgi-list@jann.com] On Behalf
 TB  : Of sherzodR
 TB  : Sent: Saturday, December 08, 2001 1:18 PM
 TB  : To: Perl-Cgis mailing list
 TB  : Subject: [CGI] CGI-Authentication ( tutorial )
 TB  :
 TB  :
 TB  :
 TB  : I was working on an authentication tutorial and I have a rough draft
 TB  : available.
 TB  :
 TB  : http://www.ultracgis.com/articles/cgiauth/index.html
 TB  :
 TB  : Let's put all the knowledges and experiences together and fill
 TB  : this out. Currently I have an overview of "Naive Authentication" method
 TB  : and also a small tutorial on "Session Based Active Authentication" method
 TB  : ( my favorite ). Any comments and editions are highly appreciated. If you
 TB  : wish to add anything, please include your name and contact informaion
 TB  : (preferably email address) to the notes. Thanks :-)
 TB  :
 TB  : http://www.ultracgis.com/articles/cgiauth/index.html
 TB  :
 TB  : Thanks
 TB:
 TB:
 TB: I've developed some session-based user authentication software which uses some
 TB: really sweet cyclic encryption algos in concert with one another, based on
 TB: keys --like PGP or RSA which both brought a little to my encryption method.
 TB:
 TB: It completely encrypts form field names and values, and encrypts strings with
 TB: keys, hashed against a multiplicity of variable data, as while maintaining
 TB: individual user agent identities and sessions.  The variable data is cyclically
 TB: crypted against the systematically variable keys, keys which are methodically
 TB: shifted through predefined algorithm sets to auto-generate a completely new
 TB: algorithm (on the fly) during session initiation and subsequent stateful
 TB: transactions.
 TB:
 TB: Variable attributes of the encrypted strings themselves will then determine the
 TB: re-hashing cycles of the next crypting and decrypting.  both the server side and
 TB: client side.  This is accomplished without any kind of IO or database usage to
 TB: preserve state on the server side, and with no cookies on the client side.
 TB:
 TB: Using either POST and GET methods, I can safely implement extremely dense and
 TB: variable encryption of sensitive data for safe transfer over non-SSL connections
 TB: and without hacking into other namespaces (like CGI), or even without requiring
 TB: other modules.
 TB:
 TB: Trouble is, this is all proprietary technology since I created it for my
 TB: employer.  Still, the idea of it all is what I think has some genuine benefits.
 TB: I think that it could be potentially useful in many different types of
 TB: implementation.
 TB:
 TB:
 TB:   -Tommy Butler, consultant
 TB:
 TB:    Atrixnet, for Internet Business Software
 TB:
 TB:       http://atrixnet.com
 TB:
 TB:       2200 North Lamar
 TB:       Suite 307
 TB:       Dallas, TX
 TB:            75202
 TB:
 TB:
 TB: --
 TB:
 TB: Visit the open source Perl archives at Atrixnet
 TB:    http://www.atrixnet.com/pub/
 TB:
 TB:
 TB:
 TB:
 TB:
 TB:
 TB: -
 TB: The CGI-LIST is sponsored by:
 TB: DINNERBROKER.com!
 TB: Fine dining up to 30% off!
 TB: Exclusive access to tables!
 TB: http://www.dinnerbroker.com/
 TB:
 TB: This is the cgi-list mailing list:
 TB: To unsubscribe, send email to:
 TB: majordomo@mail.jann.com
 TB: with the body:
 TB: unsubscribe cgi-list
 TB:
 TB: No one may in any way attempt to data-mine or archive the
 TB: mailing list for financial gain without the express permission
 TB: of Jann.com.
 TB:

--
Sherzod Ruzmetov <sherzodr@ultracgis.com>
http://www.UltraCgis.com, Consultant
989.774.6265
+----------------------------------------+
| There is nothing wrong with your tools.|
| But we can make a better one.          |
+----------------------------------------+