Re: encrypt password for webservices

From: Alek Davis (alek_DOT_davis_AT_intel_DOT_com)
Date: 04/11/03


From: "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com>
Date: Fri, 11 Apr 2003 11:12:21 -0700


O-ops. Everything that reads 'SAL' in my previous post should be 'SSL'. This
is what happens when you accidentally click Change All in the spell checker.

-- Alek

"Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> wrote in message
news:uNWyI2EADHA.2368@TK2MSFTNGP11.phx.gbl...
> Hi Ettienne,
>
> I am not an expert in this area (SAL), but this is how I understand it.
SAL
> uses a (symmetric) session key to encrypt data. The good thing about this
> key is that it is defined for an HTTP connection between a single instance
> of a Web client and a Web server. So, if I grab someone else's data sent
> over SAL and resend it on my behalf, the Web server will not be able to
> decrypt them, because the Web server will use a different session key,
i.e.
> a session key established for my connection, not the connection, which
data
> I stole.
>
> I don't know the details of your solution, but I doubt that it is better
> than SAL. Whenever you deal with passing sensitive data between server and
> client, whether it is a Web application or a traditional client-server,
the
> only way to avoid a replay attack (or whatever it is called when a hacker
> simply resends stolen data), is by having a session between server and a
> client with a session-specific key. We spent a lot of time (well, may be
not
> a lot, but at least some) trying to come up with an alternative, but could
> not. If you want to make your own solution, you will probably end up
> implementing your version of SSL.
>
> If you give me more details, I can probably tell you the vulnerabilities
of
> your approach (feel free to e-mail me directly). The questions I would ask
> are:
>
> (1) Which key do you use: public or symmetric?
> (2) If you are using symmetric key, is it the same for all clients?
> (3) How does the server keep track of the number of requests from a
> particular client?
> (4) What prevents a hacker to simply re-post the first post of the valid
> query?
>
> Basically, I would like to know what you are protecting and how does your
> solution protects whatever you are protecting.
>
> -- Alek
>
> "Etienne Charland" <mystery@golden.net> wrote in message
> news:e0csPG9$CHA.824@TK2MSFTNGP11.phx.gbl...
> > Alek, do you know how SSL works to enforce security? What prevents
someone
> > to take an encrypted request and send it again? The server must accept a
> > particular query one, but not 2 times. When implementing my remoting
> > security solution, the only way I found is to have a counter that
> > increments. The client encrypts the incremental value, and the server
> > compare it to see if it's the good one. Does it works like that in SSL,
or
> > does it have that flaw?
> >
> > Etienne
> >
> > "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> wrote in message
> > news:OM6CHM7$CHA.3124@TK2MSFTNGP11.phx.gbl...
> > > Mathew,
> > >
> > > Are you asking how to use encryption for secure communication or
> storage?
> > >
> > > For secure communication use SSL. It is the only viable option which
can
> > > prevent a hacker from impersonating another user by simply grabbing
> > someone
> > > else's credentials, whether they are encrypted or not encrypted. This
> > means
> > > that if you are passing credentials in every method, then every method
> > > should be called over SSL.
> > >
> > > For storage, do not use encryption, use hashing instead. If you only
use
> > > passwords to verify user's credentials, there is no need to decrypt
> them.
> > > Just store password hashes in the database and compare hashes (with
> salt)
> > > instead of plaintext values. This way you eliminate the hassles
> associated
> > > with key management. Check How To: Use Forms Authentication with SQL
> > Server
> > > 2000 (at
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
> > > ml/SecNetHT03.asp or http://tinyurl.com/99hg) for a nice example.
> > >
> > > -- Alek
> > >
> > > "Mathew Michuta" <nektoinphx@yahoo.com> wrote in message
> > > news:017201c2fedd$0725f1f0$a501280a@phx.gbl...
> > > > I'll start by saying I've never done any encryption
> > > > before. All my apps before now have been on an isolated
> > > > network, with no real need.
> > > >
> > > > But now I need to use it. I have created webservices that
> > > > return data to a vb.net windows forms application. It
> > > > works fine receiving the username, password, and various
> > > > other parameters, but now I need to add some sort of
> > > > encryption so my passwords are not flying all over the
> > > > internet in plain text.
> > > >
> > > > my ideal solution would be that the user logs into the vb
> > > > app in florida using username and password. vb app
> > > > encrypts username and password, requests authentication
> > > > from my webservice in idaho, webservice receives string
> > > > data, decrypts, compares to value stored in sql, and
> > > > returns either 1(successful)/0(unsuccessful) or the hashed
> > > > password to be used for all subsequent webservice data
> > > > calls. I have set up all my webservices to require the
> > > > username/password to be sent regardless of the function of
> > > > the webmethod.
> > > >
> > > > My question is how do I do that? Are there any tutorials
> > > > on how to use encryption in that manner? I'm assuming that
> > > > I would not want to encrypt all data, due to performance
> > > > issues on the server and client.
> > > >
> > > > Thanks in advance.
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Antw: Re: LDAP Authentication Problem
    ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
    (de.comp.sys.novell)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERRO
    ... to the server's key and certificate, as well as to my rootCA ... The web server DOES start, ... virtual host that is supposed to be using SSL, ... # List the ciphers that the client is permitted to negotiate. ...
    (SuSE)
  • Re: Using SSL with IIS 5.0 - how does it work.
    ... Description of the Secure Sockets Layer (SSL) Handshake ... username and password when users authenticates to server (e.g. to check ... his/her e-mail) (client sends this data to the server) ... If you want your users to trust your SSL certificate ...
    (microsoft.public.inetserver.iis.security)
  • Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
    ... If you use SCT it goes something like this: ... Session key exchange using Certs to exchange and verify identities. ... Server caches the SCT using SCTID is unique id. ... > SSL handshake is an expensive operation, if I choose to use SSL to access ...
    (microsoft.public.dotnet.framework.webservices.enhancements)