Re: encrypt password for webservices
From: Alek Davis (alek_DOT_davis_AT_intel_DOT_com)
Date: 04/11/03
- Next message: Robert Strickland: "Re: Beginner's question"
- Previous message: Ivan Medvedev [MS]: "Re: TCP Listener Start Method Error"
- In reply to: Etienne Charland: "Re: encrypt password for webservices"
- Next in thread: Alek Davis: "Re: encrypt password for webservices"
- Reply: Alek Davis: "Re: encrypt password for webservices"
- Reply: Etienne Charland: "Re: encrypt password for webservices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> Date: Fri, 11 Apr 2003 10:12:28 -0700
Hi Ettienne,
I am not an expert in this area (SAL), but this is how I understand it. SAL
uses a (symmetric) session key to encrypt data. The good thing about this
key is that it is defined for an HTTP connection between a single instance
of a Web client and a Web server. So, if I grab someone else's data sent
over SAL and resend it on my behalf, the Web server will not be able to
decrypt them, because the Web server will use a different session key, i.e.
a session key established for my connection, not the connection, which data
I stole.
I don't know the details of your solution, but I doubt that it is better
than SAL. Whenever you deal with passing sensitive data between server and
client, whether it is a Web application or a traditional client-server, the
only way to avoid a replay attack (or whatever it is called when a hacker
simply resends stolen data), is by having a session between server and a
client with a session-specific key. We spent a lot of time (well, may be not
a lot, but at least some) trying to come up with an alternative, but could
not. If you want to make your own solution, you will probably end up
implementing your version of SSL.
If you give me more details, I can probably tell you the vulnerabilities of
your approach (feel free to e-mail me directly). The questions I would ask
are:
(1) Which key do you use: public or symmetric?
(2) If you are using symmetric key, is it the same for all clients?
(3) How does the server keep track of the number of requests from a
particular client?
(4) What prevents a hacker to simply re-post the first post of the valid
query?
Basically, I would like to know what you are protecting and how does your
solution protects whatever you are protecting.
-- Alek
"Etienne Charland" <mystery@golden.net> wrote in message
news:e0csPG9$CHA.824@TK2MSFTNGP11.phx.gbl...
> Alek, do you know how SSL works to enforce security? What prevents someone
> to take an encrypted request and send it again? The server must accept a
> particular query one, but not 2 times. When implementing my remoting
> security solution, the only way I found is to have a counter that
> increments. The client encrypts the incremental value, and the server
> compare it to see if it's the good one. Does it works like that in SSL, or
> does it have that flaw?
>
> Etienne
>
> "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> wrote in message
> news:OM6CHM7$CHA.3124@TK2MSFTNGP11.phx.gbl...
> > Mathew,
> >
> > Are you asking how to use encryption for secure communication or
storage?
> >
> > For secure communication use SSL. It is the only viable option which can
> > prevent a hacker from impersonating another user by simply grabbing
> someone
> > else's credentials, whether they are encrypted or not encrypted. This
> means
> > that if you are passing credentials in every method, then every method
> > should be called over SSL.
> >
> > For storage, do not use encryption, use hashing instead. If you only use
> > passwords to verify user's credentials, there is no need to decrypt
them.
> > Just store password hashes in the database and compare hashes (with
salt)
> > instead of plaintext values. This way you eliminate the hassles
associated
> > with key management. Check How To: Use Forms Authentication with SQL
> Server
> > 2000 (at
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
> > ml/SecNetHT03.asp or http://tinyurl.com/99hg) for a nice example.
> >
> > -- Alek
> >
> > "Mathew Michuta" <nektoinphx@yahoo.com> wrote in message
> > news:017201c2fedd$0725f1f0$a501280a@phx.gbl...
> > > I'll start by saying I've never done any encryption
> > > before. All my apps before now have been on an isolated
> > > network, with no real need.
> > >
> > > But now I need to use it. I have created webservices that
> > > return data to a vb.net windows forms application. It
> > > works fine receiving the username, password, and various
> > > other parameters, but now I need to add some sort of
> > > encryption so my passwords are not flying all over the
> > > internet in plain text.
> > >
> > > my ideal solution would be that the user logs into the vb
> > > app in florida using username and password. vb app
> > > encrypts username and password, requests authentication
> > > from my webservice in idaho, webservice receives string
> > > data, decrypts, compares to value stored in sql, and
> > > returns either 1(successful)/0(unsuccessful) or the hashed
> > > password to be used for all subsequent webservice data
> > > calls. I have set up all my webservices to require the
> > > username/password to be sent regardless of the function of
> > > the webmethod.
> > >
> > > My question is how do I do that? Are there any tutorials
> > > on how to use encryption in that manner? I'm assuming that
> > > I would not want to encrypt all data, due to performance
> > > issues on the server and client.
> > >
> > > Thanks in advance.
> >
> >
>
>
- Next message: Robert Strickland: "Re: Beginner's question"
- Previous message: Ivan Medvedev [MS]: "Re: TCP Listener Start Method Error"
- In reply to: Etienne Charland: "Re: encrypt password for webservices"
- Next in thread: Alek Davis: "Re: encrypt password for webservices"
- Reply: Alek Davis: "Re: encrypt password for webservices"
- Reply: Etienne Charland: "Re: encrypt password for webservices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
