Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:21:03 ADT
Enzo Michelangeli (em@who.net)
Fri, 31 Jul 1998 17:43:54 +0800
-----Original Message-----
From: Matthias Bruestle <m@mbsks.franken.de>
Date: Friday, July 31, 1998 12:34 AM
>Mahlzeit
>
>
>Enzo wrote:
>> For the cryptographic stuff, they seem to use classes part of a package
>> called xpresso131 (I couldn't find any reference on the web).
>It is probably from Brokat. Maybe you find something on www.brokat.de.
Thanks to Matthias' tip, I've got some information about X-Presso.
According to the FAQ available on the Brokat web site, it implements a
protocol "similar to SSL 3.0" called SRT 1.0, with RSA-based key exchange
(1024-bit key), IDEA encryption and MD5 or SHA MAC. According to Brokat,
this makes a transaction much more secure than one protected by an
exportable browser's 40-bit RC4. However, methinks that if you allow for
man-in-the-middle attacks, the system is exactly as secure as plain vanilla
export-grade SSL: the notorious Mallet could hijack the connection, upload
to the browser a hacked applet (decompiling Java is a piece of cake,
especially when no obfuscators are used), and steal account number and pin
for future use. So, why bother at all with X-Presso?
Brokat is very happy of having received the blessing of NSA and U.S.
Commerce Department (to download an applet from a server placed in another
country, technically, is to export it), but if you think about it, it isn't
difficult to see why...
Enzo
P.S. My description of the RNG in a previous post contained a mistake
spotted by Ben Laurie: the time returned by System.currentTimeMillis() under
Win95/98 is incremented only in 50 or 60 msec steps: never, as I incorrectly
claimed, 40.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:21:03 ADT