Passing username/password in a secure way on a Remoting call
From: Elp (rockfamily_at_REMOVEME.hotmail.com)
Date: 10/16/03
- Next message: Subra Mallampalli: "Re: .NET WEB Service, MS SQL Server and Integrated Security"
- Previous message: Sébastien Pouliot: "Re: lots of crypto questions"
- Next in thread: Michael Giagnocavo [MVP]: "Re: Passing username/password in a secure way on a Remoting call"
- Reply: Michael Giagnocavo [MVP]: "Re: Passing username/password in a secure way on a Remoting call"
- Reply: Keith Patrick: "Re: Passing username/password in a secure way on a Remoting call"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Oct 2003 15:14:46 +0100
Hi,
I'm developping a distributed application where a client app calls some
methods on a remote .NET remoting object. For some reasons, i have to host
that object within a Windows service (not IIS) using a TCP channel and i
can therefore not use the authentification features of IIS (this was anyway
not suitable for our needs).
The remote object has to ensure that the client is allowed to call its
methods: to achieve that, i pass a username and password as parameters for
each remote function call. Right now, this info is passed in clear text and
i guess that i could be possible for an attacker to "read" those
credentiuals direclty on the wire. What could i do to make that more secure?
I've read an article which explains how to use symetric key
encryption/decryption but if i use that to encrypt the password, i need to
hardcode in the client and server apps the values used to genereate the key
and, as .NET code can be easily reversed engineered, this is not really what
i would call security. I have therefore a few questions for those more
knowledgeable than me :-) (it's the first time that i have to deal with some
security problem):
- is encryption using symetric key the way to go in my situation?
- if not, do you have any other idea?
- how can i protect the values used to generate a symetric key as hardcoding
them in code is not secured at all? There's maybe some way to store those
values somewhere else on the computer.
Thanks a lot for your help.
- Next message: Subra Mallampalli: "Re: .NET WEB Service, MS SQL Server and Integrated Security"
- Previous message: Sébastien Pouliot: "Re: lots of crypto questions"
- Next in thread: Michael Giagnocavo [MVP]: "Re: Passing username/password in a secure way on a Remoting call"
- Reply: Michael Giagnocavo [MVP]: "Re: Passing username/password in a secure way on a Remoting call"
- Reply: Keith Patrick: "Re: Passing username/password in a secure way on a Remoting call"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
