I am building a windows 8 application which will be used as the interface to a web service I have running.
I need to find a safe way of encrypting sensitive data to pass, then decrypt it the other end.
Two things I need to do (as they may require separate methods);
1) User will enter a username and password which needs to be authenticated
2) User will enter personal information to be saved.
Now I have looked at many encryption/decryption methods, but I cannot find anything which is common place between the two. For example System.Security.Cryptography is not available within the windows 8 app, and my website can't use CryptographicEngine.
I am basically trying to find the best way to DO what I need to do. Along with a way of actually doing it in code.
You will not be able to use the same namespaces, as you have recognized. What you need to do is settle on a standard crypto algorithm on both ends.
Here is a discussion for one approach on the Win8 side using AES256. http://social.msdn.microsoft.com/Forums/en/winappswithcsharp/thread/8f9ecac4-80d2-47c8-8c41-9d7877565bf5
Here is a solution for doing AES256 with regular .NET
http://msdn.microsoft.com/en-us/magazine/cc164055.aspx
If you just need to secure the channel, then use an HTTPS web service, that's what HTTPS was designed for. The client-side HttpWebRequest class should just do the rest for you.
You'll need a certificate on the web server.
Related
I have the problem that I want to program a program that will have to interact with some 3rd party web service. This service requires for specific actions that the client (my program) authorizes itself by both a username/password combination as well as a token. The username/password is specific to the user of my program and no of a problem here. The token (API key) is a problem.
Suppose I want to make my program open source and put its sources on some public server. Of course I cannot hardcode (or include) the API key. Otherwise I would not only break the contract not to publish it but also any (non-authorized) usage will fall back onto me and my program.
According to my research (e.g. Open source a project but keep API keys confidential or How to hide the API key in my Electron application?) I could put a proxy server (closed source) between the 3rd party API and my program. Now I see two big open doors for bad-minded people to attack this scenario:
As the source code of the main program is open source, any interaction with the proxy can be literally read from source code. An attacker could fork my main program and use exactly the same calls on the proxy but with compromised data. Same result as with openly available keys: My program will get into trouble for other people's bad actions/programming skills.
I could add a username/password to authenticate the program against my proxy. I then offer (free-to-use) registration to the proxy in order to allow my program to be used productively. This adds an additional layer of authentication and complexity but is doable. Anyone really wanting to do bad things will nevertheless be able to obtain a password and use his own fork to access the proxy. I cannot put my own keys/encryption/.... anywhere as the necessary routine to decrypt/imitate these will be publicly visible in the open sourced project.
So now I have simply shifted the problem to detect if the running software is an original one, from the 3rd party to my proxy server. I only have the benefit that I could maybe know which user was the bad guy and ban him but this is all I can do while my token might get revoked by this issue.
I am sorry but I did not find a usable solution in the web to this specific problem. How can I attack this problem (on an abstract level)?
I am in the process of designing an application that users will be able to log on remotely and use - via a web interface.
Security is of paramount importance (think credit card and personal banking type information)- so I need to make sure that I get the security aspect nailed down - HARD.
I intend to provide the application functionality via traditional (stateful) web pages , as well as web services.
For what its worth, I am intending to use web2py as my web application framework.
Is there a list of guidelines I can follow to make sure that I have all areas covered?
One stop shopping: https://www.owasp.org/index.php/Main_Page
Read that and take every suggestion to heart.
you should consider at least the following:
authentication. getting users to log on in some manner. which authentication method they use depends on what you aim to provide
privacy. making sure the information they send is only visible to them and your application and not an eavesdropper.
in the simplest case SSL can take care of both of the above. it will always provide encryption but can also be used to authenticate or at least make some simple authentication mechanism more secure. one thing to look at is security of ssl. ssl is suceptible to a man in the middle attack particluarly when the users already have a trust relationship with, say, their employer - who can them proceed to install an ssl gateway which is effectively a mim.
authorisation. making sure users are only allowed to see what you want them to see and no more.
this really depends on technology you are using.
non reputidation. making sure the user cannot dispute the actions they perform
this is a very open ended question. legally this is seldom (never?) used so it depends... something like signed logs of user requested actions for example is probably enough.
Your biggest threat, by far, is writing server-side webapp code that introduces vulnerabilities in your web application layer. This is not something you can checklist. For a starter, make sure you are 100% comfortable with the items in the OWASP Top Ten and understand how to code safely against them. If you are not expert in web application vulnerabilities, strongly consider hiring someone who is to help review the web layer. At the least, i would consider contacting a security testing company to perform some form of penetration testing, preferably with a code review component.
If you ever do anything with credit card data, you will need to comply with the PCI DSS which will require at least quarterly remote-testing from an Approved Scanning Vendor.
My team and me are currently working on quite a large project. We are working on an online game, which will be accessible (for the moment), in two ways:
-Via a web browser, an application full JavaScript(client-side), full Ajax (basically meaning that the UI will be managed in JS client side).
-Via an iPhone application (the UI will be managed by the application itself).
Between the two different applications, the core logic remains the same, so I believe (I could be wrong), that the best solution would be to create a web service (if possible using standards such as RESTful or Rest) capable of perming all necessary operations.
Following this logic, I have encountered a problem: the authentication and identity management of the user. This poses problem as the applications users need to be authenticated to preform certain operations.
I’ve looked into WS-security, but this obviously requires passwords to be stored, unencrypted on the server, which is not acceptable!
I then looked into Oauth, but at first glance this seemed like a lot of work to set up and not particularly suited to my needs (the way that applications have to be accepted does not please me since it will be my application and my application only using the web service, not any external application).
I’ve read and heard about a lot of other ways to do what I want, but to be honest, I’m a little confused and I don’t know what information is reliable and what isn’t.
I would like to note that I’m using symfony2 for the backend and jquery for the client side JavaScript.
Furthermore, I would like a detailed, step-by-step response, because I really am confused with all that I have read and heard.
Thank you for your time, and I hope someone can help me as it’s quite urgent.
Good evening
I'm not entirely sure if this answers your request, but since the UI will always be handled on the client side, I think you could use stateless HTTP authentication:
This is the firewall in security.yml:
security:
firewalls:
api:
pattern: ^/api/ # or whatever path you want
http_basic: ~
stateless: true
And then the idea basically is that on the server, you use your normal user providers, encoders and whatnot to achieve maximal security, and on the client, you send the HTTP authentication headers, for example, in jQuery:
$.ajax("...", {
username: "Foo",
password: "bar"
});
Please note that since the authentication is stateless (no cookie is ever created), the headers have to be sent with every request, but, I figure, since the application is almost entirely client-side, this isn't a problem.
You can also check the Symfony2 security manual for further information on how to setup HTTP authentication. Also be sure to force HTTPS access in your ACL, so the requests containing the credentials are secured (requires_channel: https in your ACL definitions).
I am looking on advice on how best to approach a new project I need to develop. From the outset I must add, I have 0 experience with Web development on any level.
What I need to do is provide a web interface through the browser which will communicate with a server back end. The data retrieved will be sourced from either a DB or from another source - external device which the server itself will communicate with via IP. The data retrieved from the external device will always be a string format of n length (non unicode) and the DB data will mostly be strings and numbers with the odd blob thrown in (storing a picture). The communication will always go from the Client (web browser) to the Server. I don't believe that the server would need to instigate the comms.
I have Delphi XE, so started looking at using a REST server for communication and I think that seems to be OK. However, from what I can see, I need to create HTML web pages to "render" the data on the web browser. Is that true? Can I use the IW components with a REST server? If so, I'm not sure how to get the data to/from the browser UI. Am I better of investigating Ruby on Rails perhaps? From what I read on a different thread in here, it's based on MVC and some other areas which I feel, design wise, would fit how I would create the application (I was planning on creating the app based on the MVP or similar design pattern).
I think REST makes the most sense, so if the IW components can't be used, are there any 3rd party products I can use which would let me design "pretty" UI html. Given I don't know java script, would that be a stumbling block with REST too.
Thanks and hopefully I have provided enough information.
Thanks
Jason
Will a human being be responsible for typing the data retrieved from your external device into a web page?
If so, and you have no web development experience, Intraweb is definitely the way to go for Delphi programmers wanting to build a web application without learning new skills. For additional components to create a prettier UI I suggest using TMS Software's Intraweb Component Pack Pro.
If you don't need a human being to manually type in this data then you don't need Intraweb at all. Instead you would write a client application which presumably interrogated your external device for the data and then transmitted it to the REST server. Look at the documentation you've used to build your REST server and it should have a section on how to build a REST client.
You can build an ISAPI module with delphi that does the job, or include a HTTP server right into you executable with Indy, ICS or Synapse.
ISAPI will give you the freedom to choose Apache or IIS and give you all their power this way. Embeded HTTP server will give you a nice small application in which you control all ascpects of how it works.
Yes go with REST as it is simple and clean. All you need is to think and design the API (functions that your server will support). You can bind the APIs to the URL schema thus using the REST principle. I would do it simply like this.
A client makes a request. You show some form of GUI (load or render a HTML page with possible javascript)
User makes an action, you call appropriate API (or the user does it directly).
Show the user some result
Just guide the user process through a series of API calls until the result is made
You can use plain HTML and then add javascript if needed (jquery) or you can use ExtJS from Sencha which makes building a nice GUI a lot easier and is very well structured.
I would not use any "WYSIWYG" web tools. Plain old HTML written by your favorite editor is still the king in my opinion.
We developed a web service which is accessed by various platforms clients, for example it is requested by c++ and Java enabled clients.
I want to use simple, effective encryption Algorithm which is easily decrypted by JAVA - C++ and JAVA script based clients.
Why not just deliver your service over HTTPS?
Why write anything?
The most widely-compatible method of Web Service security that is still actually secure is Transport with Message Credentials. This uses SSL (https) for transport-layer security, which handles the encryption aspect, and passes a username/password in the SOAP header, which handles the authentication side.
It is not as secure as mutual-certificate authentication, which also gives you non-repudiation, but it is good enough for the vast majority of applications.
Several other options exist, but T/MC is usually the easiest to get working across platforms (.NET, Java, C++).
If you need to add javascript into the mix then I'm afraid you may be disappointed, as that is a serious game-changer. Although there do seem to exist various JavaScript SOAP Client implementations, SOAP is a second-class citizen in the JavaScript world, and I don't believe that any existing libraries have proper support for WS-Security or really WS-Anything except for the basic profile.
If you want your web service to be consumable by JavaScript then you want to go for REST instead of SOAP. I know that .NET (WCF) is pretty good at this but I'm not too sure how well Java and C++ fare. I believe that the transport security should be simple enough (it's just SSL), but it's likely that you'll have to implement some custom authentication code to get it working across platforms. Either way, you definitely want to go the SSL route; please do not try to roll your own encryption scheme.
If you already have the service implementation which is Base profile compliant and you want to keep on supporting various platform clients, extend your current service with WS-Security/WS-Trust. This will allow for encrypting/signing the content of the message, without loosing interoperability.
Depending on which toolset you used for your original implementation, the inclusion of WS-Security can be as easy as 'flicking a switch and selecting some options in your configuration file' (WCF/ASMX+WSE).
Since you mention the various platforms client side, I assume this is one of your main requirements.
Hope this helps.
You can simply use HTTPS which is easily implementable in both C++/Java clients (e.g. using the GNUtls library). On the server side, you will only need some small configuration changes.
Apart from the different request code, you have to create a self-signed SSL server certificate and install it on the clients. Of course this is not a good idea if the web service is public, where you need trust (= a real SSL certificate). But if it's only used internally, self-signed certificates are a quite good solution, as long as you keep the private key secret.