Re: encrypt password for webservices

From: Mathew Michuta (nektoinphx@yahoo.com)
Date: 04/10/03 

From: "Mathew Michuta" <nektoinphx@yahoo.com>
Date: Thu, 10 Apr 2003 06:39:44 -0700

I thought about using integrated security, but if it were
to become compromised, the attacker could then have access
to all of the resources granted to that user. I elected to
do it this way so that if it is compromised, they will
only be able to use my webservices and the methods inside
them, and not gain access to the rest of my network.
And I am making multiple access levels for my database,
and that would not integrate well with windows
authentication. Not to mention I have no idea how to
integrate MS group policies into my app.
>-----Original Message-----
>Why don't you just use Windows Integrated Security in
IIS, and encrypt with
>SSL? However, you won't be able to use accounts from your
database. It will
>use windows accounts.
>
>Etienne
>
>"Mathew Michuta" <nektoinphx@yahoo.com> wrote in message
>news:017201c2fedd$0725f1f0$a501280a@phx.gbl...
>> I'll start by saying I've never done any encryption
>> before. All my apps before now have been on an isolated
>> network, with no real need.
>>
>> But now I need to use it. I have created webservices
that
>> return data to a vb.net windows forms application. It
>> works fine receiving the username, password, and various
>> other parameters, but now I need to add some sort of
>> encryption so my passwords are not flying all over the
>> internet in plain text.
>>
>> my ideal solution would be that the user logs into the
vb
>> app in florida using username and password. vb app
>> encrypts username and password, requests authentication
>> from my webservice in idaho, webservice receives string
>> data, decrypts, compares to value stored in sql, and
>> returns either 1(successful)/0(unsuccessful) or the
hashed
>> password to be used for all subsequent webservice data
>> calls. I have set up all my webservices to require the
>> username/password to be sent regardless of the function
of
>> the webmethod.
>>
>> My question is how do I do that? Are there any tutorials
>> on how to use encryption in that manner? I'm assuming
that
>> I would not want to encrypt all data, due to performance
>> issues on the server and client.
>>
>> Thanks in advance.
>
>
>.
>

Relevant Pages

  • Re: decrypting request
    ... > I can use the app to generate the encryption, ... IANAL but I think that would fall under the reverse engineering for ... original app. ... If Windows, do ...
    (sci.crypt)
  • XP <-> CE and webservices
    ... The Visual studio project target platform is Windows CE. ... The test app works fine under the WinCE emulator and we can run webservices ... When the same .exe is run from Windows XP SP2, the webservice method ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: Securing data to a process principal
    ... reasonable controls that protect against "casual" abuse. ... hooks into your encryption function) and you cannot prevent an admin using ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ...
    (microsoft.public.platformsdk.security)
  • Re: Securing data to a process principal
    ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ... can use a login context of the app ID itself as the encryption key as I've ... application should be able to decrypt data on another computer. ...
    (microsoft.public.platformsdk.security)
  • Re: Securing data to a process principal
    ... Yes, you can protect against ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ... encryption would be done with a key that was associated with the app ID. ...
    (microsoft.public.platformsdk.security)