[A83] Re: apps

[A83] Re: apps

• To: <assembly-83@lists.ticalc.org>
• Subject: [A83] Re: apps
• From: "David Phillips" <david@acz.org>
• Date: Wed, 18 Apr 2001 13:04:45 -0600
• References: <80.9c8fe3f.280e5890@cs.com> <3.0.5.32.20010418103617.007d16a0@pop.snet.net>
• Reply-To: assembly-83@lists.ticalc.org

The application has to be signed with TI before the calculator will accept
it.  Digital signatures are a part of public-private key encryption.  A very
good explanation is the document that comes with PGP.  Essentially, this is
how it works: a private key is generated.  The longer the key, the harder it
is to break.  Web browsers that use SSL either use 40, 56 or 128 bit keys.
Keys used for SSH usually are 1024 or 2048 bit.  Even breaking 40 bit
encryption would be beyond the power of an ordinary person, and breaking 128
bit could only be done by the NSA or other organizations with an immense
amount of computing power, such as federal governments or Microsoft.  I
believe that the calculator uses 512 bit encryption.  So having thousands of
people all over the internet work together in breaking it would not work
this time (there was a contest where this was done to break 128 bit
enryption, and I believe it took a year and a half).

A public key is derived from the private key.  However, this only goes one
way: it is impossible to derive the private key from the public key (as this
would defeat the entire purpose).  The keys are symetric: anything encrypted
with the public key can be decrypted with the private key, and the converse
is also true.  This can be used to verify the authenticity of something.  If
data can be decrypted by a specific public key, then it must have been
signed by a specific private key.

There is a lot more to the subject, such as certificates, etc., but this
should be enough to understand why it is impossible to self sign an
application.  Now, if you were to somehow steal one of TI's private keys,
then you could do it.  This the same as if someone were to steal the SSL key
for your webserver, or your PGP private key: then anyone could impersonate
you on the internet.

> What prevents anybody from aming an app, without paying TI? Is there some
> kind of special header that only TI has, or something?  But hten you could
> just rip it off one file and transfer it . . .

• [A83] Re: apps
• From: Patrick Davidson <pad@OCF.Berkeley.EDU>

• [A83] apps
• From: Dohboy3@cs.com
• [A83] Re: apps
• From: Gavin Olson <gtolson@snet.net>

• Prev: [A83] Re: apps
• Next: [A83] Re: apps
• Index(es):
  • Main
  • Thread