Keeping private keys on connected servers is an all-around bad idea. All I need to do is break into your box. Can do. ;-) Also, password garbling schemes are intentionally one-way. Otherwise you won't gain much in terms of security. Some explanations of the issues involved can be found here: <http://www.gnu.org/manual/glibc-2.2.5/html_node/crypt.html> HTH, Stefan --On Donnerstag, 20. März 2003 09:15 -0800 Terry Hancock <hancock@anansispaceworks.com> wrote:
Suppose I use a private key to encrypt/decrypt the password data for storage in the database. The key might be stored on the server's filesystem or be retrieved from a more secure computer, but it would be used to encrypt the data for storage and then to decrypt it for authentication. You could do this with public-key cryptography, too, but it's not clear to me that there is an advantage to that.
-- Those who write software only for pay should go hurt some other field. /Erik Naggum/