I'm currently trying to strengthen up the security on a large ASP.NET
application (a web content management system). The primary objective is to
prevent people from evesdropping for passwords and other sensitive
information, with a secondary objective of preventing Harry the Hacker from
having his (her) evil way.
Logging on is secured by never storing the passwords in plain text and using
a combination of MD5 hashes for the user/password, and a single-use token to
'salt' the resultant hash. This is secure as the password (or its hash) are
completely obscured by the salt.
The next step -- and I'm *really* surprised that *everyone* doesn't do this
-- is to prevent 'Evil Eve' from listening in to the network when the
passwords and other sensitive information is passed from the client back to
the server. At this point I should point out that SSL isn't an option
because of its cost. The application is aimed at small businesses who baulk
at the thought of paying $400/year for a certificate (it's hard enough
getting $500 out of them for the website!). Also it is often not possible
to
implement SSL on public shared web servers.
The way I propose this to work is as follows:
1) The server creates a RSACryptoServic eProvider object and keeps this as an
application variable. When the object is created, it creates the public and
private keys.
2) When the user requests the form to change a password, the form is
rendered with a JavaScript RSA implementation and with the *public* keys
embedded in the form (probably in the onSubmit event). Note that Java or
ActiveX is absolutely out of the question, therefore I can only implement
RSA on the client in JavaScript.
3) On the client, the user fills in the form and the onSubmit event takes
the variables and encrypts them using the JavaScript RSA implementation
using
the supplied public keys. The existing form fields are cleared (don't want
the plain text information being passed over!). The RSA encrypted field is
sent back to the server.
4) On the server the RSACryptoServic eProvider object is called to decrypt
the data sent from the client using the *private* keys.
5) Voila!
The strength of this is based on RSA and the fact that you can't break 1024
bit encryption (without an enormous effort). Although it will take a couple
of seconds to encrypt the data on the client, this doesn't matter.
Having hunted around the internet, I keep drawing a blank here. There are
several implementations of RSA on JavaScript, but none of them are
compatible
with the RSACryptoServic eProvider object. The bottom line is there's some
enormous numbers involved here (1024 bits worth!), so there's a shed load of
scary maths involved.
I would *really* appreciate it if someone could point me in the direction of
a JavaScript RSA implementation that works *with* the .net
RSACryptoServic eProvider object.
Oh, as a footnote, I'm really surprised that this isn't a common
requirement. It seems so obvious and so cheap; well it would be if I could
get the damn thing working!
TIA,
Glenn
0  1291  This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Konrad Den Ende |
last post by:
I'd like to take a look at PHP but the problem is that
this far, i've used Java because it doesn't require
anything else from the server it's downloaded from
(if compiled as an Applet, of course). How is it with
PHP? Will i have to nag on the administrators of the
server where my website is to install anything?
--
Kindly
|
by: HarveyB |
last post by:
I would like to generate non-modal popup windows from
ASP.Net code-behind. I have tried using Client Side
scripting like "function Test(){
window.open('test.htm',_blank,
'height=200,width=400,status=no,toolbar=no,
menubar=no,location=no resizable=no
scrollable=no');
but I can't seem to invoke the client side script from
within a Server Side Form. I know I can use the context
with to Response.redirect or Server.transfer to return a
|
by: Martyn Lawson |
last post by:
Hi,
I am currently working as an Analyst on a .NET Web Project using ASP.NET and
C#.NET.
I have a couple of, at least what should be, quick questions:
1. My understanding of UML says that the Controller classe of a Sequence
Diagram should be implemented as a private class within a component.
However, my Programmer has said that since the ASP code lives outside the
|
by: KathyB |
last post by:
If someone could just explain this to me...I just don't get it!
I have an aspx page where I retrieve several session variables and use
xmlDocument to transform xml file with xsl file into an instruction
document (not data based) - same as using an xml web control.
The resulting html is on the client? but what about the server side of
things? Trying to figure out how to change and save the xmlDocument.
It I put a button OUTSIDE of the...
|
by: aaronwmail-usenet |
last post by:
Hi folks. I'd really like some comments or flames please :).
I've ported my xsdb database engine to javascript. I put up
a demo page here:
http://www.xfeedme.com/xsdbXML/xsdbjs/runqueries.html
The xsdb framework provides a flexible and well defined
infrastructure to allow tabular data to be published,
retrieved, and combined over the Internet.
| | |
by: SRafiq |
last post by:
Hi I need help with a topic I have an html page and in it i have a
textarea which can have a multiple of info, is there any possible way
that i can out put a specific area of the textarea using javascript or
no its not possible.
|
by: Jeff |
last post by:
I would like to know if anyone has some javascript code that reads an
external, arbitrary, XML feed, and can display the 2 or 3 latest
submissions based on the XML src.
Is such a task even possible with just client-side javascript?
Sorry, I am completely new to JavaScript.
Thanks.
|
by: Joseph Geretz |
last post by:
I have the following class which I am serializing and passing back and forth
between my Web Service application and the client.
public class Token : SoapHeader
{
public string SID;
public string UID;
public string PWD;
}
|
by: Dan Rumney |
last post by:
Hi all,
I've been writing Javascript for quite a while now and have, of late,
been writing quite a lot of AJAX and AJAX-related code.
In the main, my dynamically generated pages are created using Perl on
the backend, with Javascript providing limited frontend functionality.
As an example, an expanding tree would be fully populated on the
server-side and then presented to the browser, with Javascript and CSS
being used to vary the...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
