Re: Newbie question

Thanks Joe,

I'm not familiar with MACs or digital signatures, but I definitely want to
know that the request is coming from a trusted source.

How would the MAC or signature be transmitted to my site?

Would it be acceptable to have the partner encrypt the MAC with the
symmetric key and send it in the querystring as well?


/jason


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OzrAYQ4kHHA.208@xxxxxxxxxxxxxxxxxxxxxxx
You are trying to create the equivalent of a federated identity management
using a custom protocol of your own design. You would be much more well
suited using one of the standards-based protocols for implementing
federated identity such as WS-Federation or SAML 2.0. WS-Federation is
the protocol used by Microsoft's ADFS system and is what I would recommend
here. However, it does place demands on your partners to implement ADFS on
their side as well.

ADFS does give you a secure, standards-based way of transferring identity
between partner organizations though with a lot more flexibility than the
system you have suggested.

That said, encryption isn't really as important here as tamper resistance.
Essentially, your key goal is to ensure that an end user can't just type
whatever they want for the user name. You want to ensure that the value
was generated by something you trust.

You generally do this with a digital signature or message authentication
code (MAC). They are similar, but signatures typically use public/private
keys where as MACs use symmetric keys. Symmetric crypto is usually easier
to code than asymmetric, but the down side is that you need to exchange a
symmetric key.

Note that if you want any of this to be secure, you need to combine this
with SSL. Whether or not you encrypt or sign the value representing the
username, if someone else can see the query string, they can steal it and
impersonate the user.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jason" <JasonJason@xxxxxxxxxxxxx> wrote in message
news:%23Ei6i80kHHA.4312@xxxxxxxxxxxxxxxxxxxxxxx
OK, go easy, I'm a crypto-newbie, and also not sure if this is the right
group for this posting.

Here's the scenario:

I have a web site and want business partners to be able to link to my web
site from theirs, so I provide them the html syntax they can put on their
site to link to an .aspx page on mine.

If a user is signed on their site, I want that user to be signed on on my
site, so these corporate partners also have the option of sending
additional information in the querystring of this link that relays
information about the user currently logged in at their site (user id,
name, etc.).

e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'

I want this information to be encrypted so it is secure

e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'

When my target.aspx page gets the request, I can look for the querystring
parameters (username, id, etc.), decrypt the values, and take some
action.

Here's my approach:

After doing some reading, it seems like public-key encryption is the way
to go. I would provide a public key for each corporate partner to use for
encrypting these values, and retain a private key for each partner that I
could use to decrypt the data in the code behind my target.aspx page.

To do this, I'd use either the DSACryptoServiceProvider class or the
RSACryptoServiceProvider class.

So I have some questions:

1. Will my corporate partners be able to encrypt their data using the RSA
(or DSA) library of their choosing?

2. Must they use the same certain version to encrypt the text as I'll be
using to decrypt the text? A platform-specific version?

3. Which of these is the better choice?

4. Any gotchas I should be aware of (certificates that need to be
installed on the server, etc.)?

and finally, to keep an open mind,

5. Is there a better way to solve this need?


TIA,

/jason





.

Relevant Pages

  • Re: Newbie question
    ... a MAC is a hash of some data that has ... Would it be acceptable to have the partner encrypt the MAC with the ... You generally do this with a digital signature or message authentication ...
    (microsoft.public.dotnet.security)
  • Re: Newbie question
    ... Joe, you rock! ... My only concern in this scenario is requiring partners to implement it, ... You could pass the MAC as a second query string parameter. ... Would it be acceptable to have the partner encrypt the MAC with the ...
    (microsoft.public.dotnet.security)
  • Re: Stream Cipher for encypting voice traffic
    ... email address bounces. ... Stream Cipher for encypting voice traffic ... MAC failure and be rejected before they are listened to. ... VPN you might now have to encrypt at all, ...
    (sci.crypt)
  • Re: .Mac - yay or nay?
    ... > Jon B wrote: ... > laptop a lot but don't encrypt the data ... I'd be happier about .Mac sync if the transfer were encrypted ... in the building that all the backups are off site. ...
    (uk.comp.sys.mac)
  • Re: How to process Partners certificates with CryptoAPI
    ... But you should have the partner root CA cert trusted ... use it to encrypt and sign a data flow and then send it ...
    (microsoft.public.security)