Dynamic encryption key.

[CBailey]

With normal UltraVNC, when you normally 'trust' the remote computer, there's no issue with physical access to the key. However, if you put this key in a self-extracting archive, and send it out to many people, some of which you may not know personally (Or perhaps put it on a website for all to DL), isn't there the possibility someone unscrupulous could extract the key, and then eavesdrop on a session?

[scovel]

Encryption is only as secure as your key.

[CBailey]

Hence, the name of the thread... Dynamic Encryption Key. Anyone have thoughts on that, or another way around this problem?

[scovel]

If I recall, SC doesn't use the standard VNC password, so it would be pretty hard to create a dynamic key based on the password. At some point you need to have some shared secret if you want it to be secure.

[Rudi De Vos]

Don't agree..
SSL web servers are secure and key is public...

[scovel]

Well, yes and no. The server has a public/private key pair. LOTS of exchanges between the client and server are needed to use the public/private key pair to establish a session key. The server still needs to have a certificate and a public/private key.

Public key encryption is also EXPENSIVE cpu-wise.

Since the DSM architecture is kinda a black-box in the middle of VNC, with no control or visibility over the communication flow, it can't go through the complete key negotiation process.

If eaves dropping is the only concern, then the new MSRC4 Beta plugin might be an option. It adds salt to the key for each session. Makes each session key "unique".

Rudi, if you want to implement SSL-type key negotiation after version 1.0, let me know, I'm all for it. Adding a second DSM architecture to do the key negotiation might be one idea...

Sean

[Robenisque]

Try finding the solution on http://www.encryptionkey.info/