all groups > dotnet security > september 2004 >
You're in the

dotnet security

group:

About Best practices...


About Best practices... Claude Vernier
9/23/2004 8:03:05 AM
dotnet security:
Hi,

I'd like to have some advice to set our security procedure.
I've read several blogs and articles and now know several methods and
techniques.

What I need is some code details and best practices.
I have two scenarios. All this is in Web applications and XML Web Services
in C# and .Net.

My web site is outside the domain while the Web services are inside so, I
can't pass Username Token, right?

1. Users will log to my web site from any platform.
So, the only way I found to authenticate my users is to let them create an
account with login/password. This account is used only for a shopping basket
feature and to keep some preferences.
So, there is no need to use certificate or passport.
What I thought is, ask the password and store it encrypted inside the
database with no way to decrypt it.

My questions are:
- does this design seem ok?
- To encrypt the password, I need a public key?
-- If yes, it must be created and saved somewhere? Where?
-- should it be saved with special encoding?




2. My web site consumes a web service (WS) that is developed inside the
house but on which I have no control. This WS requires a login, domain and
encrypted password to be passed. The way it is working is in 3-phases.

a) Client ask for public key to server
b) Client encrypt password using public key
c) Client ask for session id (used in other WS) using encrypted password
d) Server decrypts the password and test that those credentials are valid.
e) Server delivers a SessionID
f) Client uses this SessionID to ask methods from another WS.

My questions are:
- This design is not perfect but it's what exist for the moment.
The main reason was to map outside users to inside users and impersonate it,
what are the best practices for this?
- The encrypt/decrypt processes must be done with public/private keys?
-- If yes, it must be created and saved somewhere? Where?
-- should it be saved with special encoding?

If you could give me some pointers on all this, thank you very much.
English is not my first language, so please excuse me for some mistakes...
Do not hesitate to correct me or ask for details.

Thanks a lot in advance, have a nice day.
Claude
Re: About Best practices... Mary Chipman
9/23/2004 4:04:39 PM
You can find the answers in the ASP.NET security best practices
whitepaper, downloadable from
http://www.microsoft.com/downloads/release.asp?ReleaseID=44047

--Mary

On Thu, 23 Sep 2004 08:03:05 -0700, "Claude Vernier"
[quoted text, click to view]
Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the dotnet security group.
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
home · blog · groups Questions? Comments? Contact the dn