I have a website that communicate with the webservice(the website doesn't have Database all communication via Webservice).
so you can access this webservice, you need a AES key to encrypt some fields and the webservice verify this encryption.
the AES key used in the website I put it in web.config for test,but I don't think this is a good approach for production.
so my question is where to store the AES key for the website.
Related
Good day,
I am very new to database/application/connection security and would like some help on a project.
Let me explain my environment :
I have a username A and password A being saved in a database (A) on a local machine.
Password A is being stored using a type of hashing algorithm with salt A.
I am sending the credentails (Username A and Password A) via a HTTPS SOAP Call to a webservice sitting remotely.
Apon receiving Username A and Password A the webservice validates those credentials to a table sitting in database (B) local to the webservice location.
My Problem : If someone gets access to database A and extracts the hashed passwords they can use a SOAP request to connect to the webservice. This means that my security is null and VOID.
I have to possible solutions :
SOLUTION 1 : Before sending password A to the webservice, I decrypt it and send it over plaintext via the Secured HTTPS connection. The webservice will then encrypt it again when validating agains the hash stored in database B.
SOLUTION 2 : Before sending password A to the webservice, I do a second encryption to that existing hash. When arriving at the webservice, it is decrypted to expose the hash which is .then validated against database B.
My Question : Is any of the 2 solutions above, best practice. If not, what would be a best practive solution for this scenario.
Kind Regards
Just a few notes
there is difference between hash (one way, non-reversible) and encryption (reversible). You cannot decrypt hashed value.
I will assume you are working with service credentials, not user's identity credentials
Here I will assume you are talking bout
SOLUTION 2 : Before sending password A to the webservice, I do a second encryption to that existing hash. When arriving at the webservice, it is decrypted to expose the hash which is .then validated against database B.
The hash effectively becomes a password, it doesn't add any security to the solution
SOLUTION 1 : Before sending password A to the webservice, I decrypt it and send it over plaintext via the Secured HTTPS connection.
There are several standards to authenticate the SOAP WS client, using simple credentials it's WS-UsernameToken. Effectively the client sends its username and password plain, relying HTTPS to handle the channel security.
My Problem : If someone gets access to database A and extracts the hashed passwords they can use a SOAP request to connect to the webservice
One the password is hashed, you won't be able to decrypt it, but as well you cannot use the hashed value as a password. Otherwise you will get the "solution 2" and you are using the hash as a password.
Indeed, this is generally a problem. You may search other questions, how to store service credentials locally. The whole problem is - you need to store the credentials. In my experience the best you can do at least make retrieval somewhat harder, e.g. encrypt the service passwords so they are not stored plain in the database or config files. At the end the client application needs the encryption key somewhere to decrypt the credentials. The key needs to be protected as well.
If you are dealing with user credentials (user identities), do not store the user passwords at all at the client side, there are other ways how to authorize user actions (access token, jwt token, ..)
If you are using xml based SOAP you can use WS-Security to encrypt the password and sign your request data so that the integrity and security of your password is ensured, and the send the data over https.
For storing passwords you should use irreversible crypto hash like sha2, at server you will decrypt the password, create sha2 hash and match it against the one from database
I have a client server based application where user is presented with login screen in the client. It then passes the credentials to the server which does the authentication. Client-server communication happens via a web service hosted on the server using https protocol (with TLS1.2 support). Client passes username and password to the web service. I am thinking of encrypting the password evethough I am using https based communication. My questions are:
Is it worthwhile to do a second level of encryption for password?
Is there any good practices to follow (like which algorithm to use etc)?
Its a MFC based application written in C++. Does windows provide any methods to do this?
I agree you should ask the first two question Information Security Stack Exchange.
Yes windows provides some methods to do encryption. There is a whole library called Microsoft CNG
Do not be tempted to use their obsolete "Cryptography API" - CAPI.
DO NOT be tempted to write crypto code yourself.
If you are using HTTPS/TLS1.2 and pin the certificate there is no reason to further encrypt the data.
https encrypt the entire transmission except for the URL address, thus the query string, etc is encrypted.
Encrypting the password just moves the problem to how will the encryption key be shared between the client and server?
I am working on a User Authentication mechanism for ColdFusion Web Service called from mobile apps. The app developer wants to encrypt the User Id and password using AES. ColdFusion requires a key in order for the string to be decrypted, but, how can I know the key, if it's not generated on my server?
Yup, #Henry has it right. You will need the key (stored securely of course).
I'm trying to protect my Django restful api.
I got two clients :
my Django Front end application (Ajax requests on my server)
a python application using httplib to make its own requests
For now I'm using HTTP Basic Authentication to allow a client to consume a resource.
A basic username/password on a auth method managing a cookie session.
In production I ensure that my API is only available over https.
I tried to implement HMAC construction (because I don't want to put my password on the wire, but I have to store the secret at both ends). This work well with my other python application, but not with my Django Front end application since any user can see the javascript code.
I tried to implement an other authentication method because I don't want to really maintain a session state (not really REST).
curl -H "PERSONAL_SECRET_API_KEY: TokenKeyxxxxxxxxxx" https://localhost:8000/api/resource/
Here my questions:
What are the weaknesses of the basic Authentication System ?
Is there another method which suit my purposes ?
Thank you
Being prone to repeat attack is in my opinion the largest weakness of basic authentication.
Have you considered public/private key infrastructure? Client apps create public/private key pairs. Public keys are stored on the server. Client app encrypts its request with private key, server can decrypt it with client app's public key and send the response the same way.
I am creating a web service for end users which will have a front-end in the form of an Adobe AIR desktop app but users will be able to access their data through the website too. User's data will be synchronized between the server and the local data store. The problem is that I cannot get an SSL certificate. Is there a way to make this more secure....
I think I can use something like two-legged oAuth or an Amazon S3 like authentication system?
What do you recommend in such a situation?
The first question is: why can you not get an SSL certificate? I can think of two reasons:
SSL certificates are too expensive
You don't want to have a certificate issued by a third party
If your problem is #1, StartSSL provides free certificates with a 1-year validity or charges $50 for unlimited certificates valid for 2 years (including wildcards). They are recognized by both Mozilla and the Microsoft trust store.
If the issue is #2, why not issue a self-signed certificate and hard-code it into your application? That does not compromise the security of the system at all (only your particular cert will be accepted by the app), but eliminates the need to "get" an SSL certificate from somewhere else.
If you really really can't use SSL, look at challenge-response systems such as Kerberos or anonymous key-material generators like Diffie-Hellman (with an asymmetric key for server identity validation). Many methods exist for secure two-party authentication over an insecure line. The key is that the ID verification step must be challenge-response instead of a "send me your secret" scheme.