Re: Newbie question
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 10 May 2007 23:23:13 -0500
You are trying to create the equivalent of a federated identity management
using a custom protocol of your own design. You would be much more well
suited using one of the standards-based protocols for implementing federated
identity such as WS-Federation or SAML 2.0. WS-Federation is the protocol
used by Microsoft's ADFS system and is what I would recommend here.
However, it does place demands on your partners to implement ADFS on their
side as well.
ADFS does give you a secure, standards-based way of transferring identity
between partner organizations though with a lot more flexibility than the
system you have suggested.
That said, encryption isn't really as important here as tamper resistance.
Essentially, your key goal is to ensure that an end user can't just type
whatever they want for the user name. You want to ensure that the value was
generated by something you trust.
You generally do this with a digital signature or message authentication
code (MAC). They are similar, but signatures typically use public/private
keys where as MACs use symmetric keys. Symmetric crypto is usually easier
to code than asymmetric, but the down side is that you need to exchange a
symmetric key.
Note that if you want any of this to be secure, you need to combine this
with SSL. Whether or not you encrypt or sign the value representing the
username, if someone else can see the query string, they can steal it and
impersonate the user.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jason" <JasonJason@xxxxxxxxxxxxx> wrote in message
news:%23Ei6i80kHHA.4312@xxxxxxxxxxxxxxxxxxxxxxx
OK, go easy, I'm a crypto-newbie, and also not sure if this is the right
group for this posting.
Here's the scenario:
I have a web site and want business partners to be able to link to my web
site from theirs, so I provide them the html syntax they can put on their
site to link to an .aspx page on mine.
If a user is signed on their site, I want that user to be signed on on my
site, so these corporate partners also have the option of sending
additional information in the querystring of this link that relays
information about the user currently logged in at their site (user id,
name, etc.).
e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'
I want this information to be encrypted so it is secure
e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'
When my target.aspx page gets the request, I can look for the querystring
parameters (username, id, etc.), decrypt the values, and take some action.
Here's my approach:
After doing some reading, it seems like public-key encryption is the way
to go. I would provide a public key for each corporate partner to use for
encrypting these values, and retain a private key for each partner that I
could use to decrypt the data in the code behind my target.aspx page.
To do this, I'd use either the DSACryptoServiceProvider class or the
RSACryptoServiceProvider class.
So I have some questions:
1. Will my corporate partners be able to encrypt their data using the RSA
(or DSA) library of their choosing?
2. Must they use the same certain version to encrypt the text as I'll be
using to decrypt the text? A platform-specific version?
3. Which of these is the better choice?
4. Any gotchas I should be aware of (certificates that need to be
installed on the server, etc.)?
and finally, to keep an open mind,
5. Is there a better way to solve this need?
TIA,
/jason
.
- Follow-Ups:
- Re: Newbie question
- From: Jason
- Re: Newbie question
- References:
- Newbie question
- From: Jason
- Newbie question
- Prev by Date: Newbie question
- Next by Date: Re: Accessing certificate store from ASP.NET web project
- Previous by thread: Newbie question
- Next by thread: Re: Newbie question
- Index(es):
Relevant Pages
|
