Re: encrypt password for webservices

From: Alek Davis (alek_DOT_davis_AT_intel_DOT_com)
Date: 04/11/03


From: "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com>
Date: Fri, 11 Apr 2003 11:12:21 -0700


O-ops. Everything that reads 'SAL' in my previous post should be 'SSL'. This
is what happens when you accidentally click Change All in the spell checker.

-- Alek

"Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> wrote in message
news:uNWyI2EADHA.2368@TK2MSFTNGP11.phx.gbl...
> Hi Ettienne,
>
> I am not an expert in this area (SAL), but this is how I understand it.
SAL
> uses a (symmetric) session key to encrypt data. The good thing about this
> key is that it is defined for an HTTP connection between a single instance
> of a Web client and a Web server. So, if I grab someone else's data sent
> over SAL and resend it on my behalf, the Web server will not be able to
> decrypt them, because the Web server will use a different session key,
i.e.
> a session key established for my connection, not the connection, which
data
> I stole.
>
> I don't know the details of your solution, but I doubt that it is better
> than SAL. Whenever you deal with passing sensitive data between server and
> client, whether it is a Web application or a traditional client-server,
the
> only way to avoid a replay attack (or whatever it is called when a hacker
> simply resends stolen data), is by having a session between server and a
> client with a session-specific key. We spent a lot of time (well, may be
not
> a lot, but at least some) trying to come up with an alternative, but could
> not. If you want to make your own solution, you will probably end up
> implementing your version of SSL.
>
> If you give me more details, I can probably tell you the vulnerabilities
of
> your approach (feel free to e-mail me directly). The questions I would ask
> are:
>
> (1) Which key do you use: public or symmetric?
> (2) If you are using symmetric key, is it the same for all clients?
> (3) How does the server keep track of the number of requests from a
> particular client?
> (4) What prevents a hacker to simply re-post the first post of the valid
> query?
>
> Basically, I would like to know what you are protecting and how does your
> solution protects whatever you are protecting.
>
> -- Alek
>
> "Etienne Charland" <mystery@golden.net> wrote in message
> news:e0csPG9$CHA.824@TK2MSFTNGP11.phx.gbl...
> > Alek, do you know how SSL works to enforce security? What prevents
someone
> > to take an encrypted request and send it again? The server must accept a
> > particular query one, but not 2 times. When implementing my remoting
> > security solution, the only way I found is to have a counter that
> > increments. The client encrypts the incremental value, and the server
> > compare it to see if it's the good one. Does it works like that in SSL,
or
> > does it have that flaw?
> >
> > Etienne
> >
> > "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> wrote in message
> > news:OM6CHM7$CHA.3124@TK2MSFTNGP11.phx.gbl...
> > > Mathew,
> > >
> > > Are you asking how to use encryption for secure communication or
> storage?
> > >
> > > For secure communication use SSL. It is the only viable option which
can
> > > prevent a hacker from impersonating another user by simply grabbing
> > someone
> > > else's credentials, whether they are encrypted or not encrypted. This
> > means
> > > that if you are passing credentials in every method, then every method
> > > should be called over SSL.
> > >
> > > For storage, do not use encryption, use hashing instead. If you only
use
> > > passwords to verify user's credentials, there is no need to decrypt
> them.
> > > Just store password hashes in the database and compare hashes (with
> salt)
> > > instead of plaintext values. This way you eliminate the hassles
> associated
> > > with key management. Check How To: Use Forms Authentication with SQL
> > Server
> > > 2000 (at
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
> > > ml/SecNetHT03.asp or http://tinyurl.com/99hg) for a nice example.
> > >
> > > -- Alek
> > >
> > > "Mathew Michuta" <nektoinphx@yahoo.com> wrote in message
> > > news:017201c2fedd$0725f1f0$a501280a@phx.gbl...
> > > > I'll start by saying I've never done any encryption
> > > > before. All my apps before now have been on an isolated
> > > > network, with no real need.
> > > >
> > > > But now I need to use it. I have created webservices that
> > > > return data to a vb.net windows forms application. It
> > > > works fine receiving the username, password, and various
> > > > other parameters, but now I need to add some sort of
> > > > encryption so my passwords are not flying all over the
> > > > internet in plain text.
> > > >
> > > > my ideal solution would be that the user logs into the vb
> > > > app in florida using username and password. vb app
> > > > encrypts username and password, requests authentication
> > > > from my webservice in idaho, webservice receives string
> > > > data, decrypts, compares to value stored in sql, and
> > > > returns either 1(successful)/0(unsuccessful) or the hashed
> > > > password to be used for all subsequent webservice data
> > > > calls. I have set up all my webservices to require the
> > > > username/password to be sent regardless of the function of
> > > > the webmethod.
> > > >
> > > > My question is how do I do that? Are there any tutorials
> > > > on how to use encryption in that manner? I'm assuming that
> > > > I would not want to encrypt all data, due to performance
> > > > issues on the server and client.
> > > >
> > > > Thanks in advance.
> > >
> > >
> >
> >
>
>