Do I have to have a secret key added to my login form for encrypted authentication since I have a 2048-bit Certificate? How secure is that with/without it?
Only if you perform the encryption yourself. If you use SSL or a container such as CMS (Cryptographic Message Syntax), then the secret key is generated by the framework. You do need some session secret key to encrypt data such as forms.
Related
I'm new to spring cloud.
The user can able to decrypt when encrypted value passes in the decrypt post API. Even a normal developer can able to decrypt the encrypted value using decrypt post API. So this is not secure.
Is there any alternative for this?
I meant the secret is need to pass with decrypt post API. Then it can decrypt only who know the encrypt key and encrypted value.
Is this possible? This is my suggestion only.
I am facing a dilema.
I am using Asp.Net identity on a client-server app to store user accounts, roles and passwords. Just to avoid boilerplate and don't reinvent the wheel.That works.
However, I want to validate a remote client. I don't want to transmit the password by the wire, so I want to encode/hash it too and retrieve an access token.
The hashing mechanism in Asp.Net uses a random salt, included in the "PasswordHash" field in AspNetUsers table, among with the encryption algorithm, salt, version and etc.
Are there any suggestions on how to securely validate the client password? Maybe to extract the salt on the server to send/reencode the password on the client or something alike?
Server: Saved hash
Client: Password to hash/encrypt and send to server
Need to: Validate password securely
During Authentication, Validation of passwords should be done on server-side. Validate Generated Hash with Stored Hash.
To validate a password, I would try to do following steps on server.
1) Send the password from Client to Server over Https/SSL
2) Retrieve the User's Salt and Hash from the database.
3) Generate a Hash from User's Password and Stored Salt.
4) Compare the hash from database with generated Hash.
Reference: https://crackstation.net/hashing-security.htm
I'm currently building my web application with identity server 4. I dynamically create clients with a secret generated with Sha256() method of identityserver 4.
However, i'm worrying that when i will renew or change my certificate all those secret will be invalidate which will pose a serious problem.
Are SHA256 linked with the certificat ? Or only Token will be invalidate?
Thanks!
No, the signing credential used for token signing and validation has nothing to do with the hashing of secrets.
I want to make my ASP.Net site authentication seamless using Ajax call.
So I consider using client side authentication service of microsoft that should be used via HTTPS because it sends username and password in plain-text format.
And the problem is that I can't use SSL in my site.
So I found a way to hash data before passing to web service that is described here
but the problem is there is a salt in DB that should passed to client for creating hashed password (that equals to DB saved password). and this is not safe.
Is there a better way for doing that?
I found a way.
We will use RSA for encrypting username ans password.
in summery I'll have a web service that creates RSA keypair and save it (this key will be regenerated every day to be more secure).
I will have a textbox or hidden field that calls this service and get the public key.
the for encrypt username and password with jCryption library client side and pass this to my authentication service using ajax call.
so the server will decrypt them with private key and the authenticate user.
I found a way.
Check this out: Secure AJAX Authentication without SSL
Just in case you were looking for an ASP.NET version of jCryption for bi-directional communication, which you mentioned you tried, you can find one on GitHub here: jCryptionNET
I am implementing payment gateways and I need to protect its key and password for security reason. Also some web-services keys and password in ASP.NET.
Any ideas on how to implement them?
You can encrypt/decrypt using RSA Encryption.
It's a secure way and uses asymmetric cryptography.
In JavaScript you can use RSA In JavaScript by ohdave
And in ASP.NET you can use this implementation