I have a requirement in my project where I have to secure the communication between my client application (running on BizTalk Server Send port configured with Office 365 Email adaptor) and Microsoft Office 365 Server. This communication is to be secured by TLS 1.2 and a certificate is provided by MS O365 server during Server hello (handshake process) to later securely exchange the symmetric key generated at client side.
Do I need to install another certificate at client side for either generating this symmetric key or for any other purpose to achieve a better secured communication between the client and server?
No, you don't require another certificates client side (BizTalk) to establish a TLS 1.2 connection.
The BizTalk Server needs to trust the certificate however, but as this is one issues by Microsoft, it should be trusted.
Related
I am sending messages from my application to Azure IOT Hub over AMQP protocol. I am using Azure.Devices.Client sdk to send messages. I want to know whether the messages sent from the application are encrypted.
Azure IoT Hub only allows encrypted connections from devices. In order to establish an encrypted connection to Azure IoTHub - using industry-standard Transport Layer Security (TLS) - your device needs to trust Baltimore Cybertrust Root CA.
Since you are using Azure IoT Device SDK, establishing an encrypted connection is built-in and as long as you have Baltimore CyberTrust Root on your Trusted Root Certification Authorities your application should just work.
I'm trying to implement transport level security for WCF services.
My application architecture is as follows:
WCF service is hosted as windows service in domainA.
Client is a WinForms application in DomainB.
Since it's a cross domain scenario, I have to use certificates for authenticating client and service so they can establish a secure connection.
My understanding is I need 3 certificates to achieve this:
Service certificate - authenticates the service to the client.
Should be installed in Local Machine --> Trusted Root Certificates store on a service machine.
Certificate authority - a certificate that can be used to issue user specific certificates. Where should this one be installed? Service or client machine?
User certificate.
Should be installed in Current User --> Trusted Root Certificate on a client machine.
I couldn't find any examples on the web that use certifcate authentication over tcp protocol.
I could only find https examples with services hosted in IIS.
Any reference to a tcp scenario is greatly appreciated.
Are my assumptions correct?
Where should I install the Certificate Authority certificate (item 2)?
Are there other, easier approaches besides using certificates to accomplish transport level security over tcp in a cross domain environments?
Thank you in advance.
My application needs to access files from a remote FTPS or SFTP server depending on what my app user wants to connect to. I need to be able to access file content in a folder or create a folder.
1) What login properties differ for an FTPS and SFTP server that a user must enter?
2) Is there any way I can detect if it is an SFTP or FTPS server?
SFTP doesn't have any authentication. SFTP protocol is supposed to be used over SSH connection, thus it relies on SSH for authentication. So all authentication mechanisms of SSH apply. The list of such mechanisms is extensive - you can authenticate using password, a private key ("public-key authentication"), X.509 certificate (not a popular option), keyboard-interactive (challenge-response) dialog, also via GSS-API you can use Kerberos and possibly other mechanisms. FTPS as FTP-over-TLS can also use various mechanisms. FTP uses username/password by default, but potentially one can implement some tricky mechanisms using SITE command. TLS protocol includes client-side authentication using X.509 certificates, pre-shared symmetric keys, plain PKI keys, OpenPGP keys.
SFTP and FTP/FTPS are completely different protocols. Servers run on different ports. If you want to implement protocol autodetection, you can try the following: connect to the server, and if it sends a welcome SSH message within 200-500 ms, you know that it's an SSH (and potentially SFTP) server. If it sends a welcome FTP message, it's an FTP server (this includes explicit TLS mode of FTPS). If it sends nothing, then it can be a TLS server and you can have implicit FTPS over this connection.
I want to secure the communication between a server and multiple clients.
The communication goes this way:
The client connects to a specific page at the server and checks for a software version.
If the version on client is not the latest, the client
connects to specific page and downloads the software update
I want to secure the 3rd part, so this connection must be over https. What I have done is to install m2crypto to the client and the server and with a python script, generate a pair of private/public keys.
The point is the server to use the client's public key to sign the data to send.
How do I configure my server (apache) so that the connection is over https?
WCF Transport security over NetTcpBinding is based on TLS-over-TCP. In my understanding TLS-over-TCP needs a certificate for TLS handshaking to exchange a shared secret.
While in Windows workgroup, NTLM provides mechanism to exchange a shared secret based on user credential.
My question is: when the following is used:
security mode: Transport
clientCredentialType="Windows"
NetTcpBinding
in Windows workgroup environment (NTLMv2 is used?)
is a server certificate needed for encryption?
Please also point out if my understanding is incorrect. Additional reading links are appreciated too.
Yes, you must have a server certificate.
NTLMv2 will protect the credentials, but the HTTP "session" is easily hijacked and also used to attack other systems, via NTLM relay.