stackoom
  简体   繁体   中英

C# web service password in the request to be encrypted

 原文  2012-03-05 14:36:29       c#/ web-services/ security

Question

I am working on the web service. A user is going to be able to create a user account using a form on different asp.net project. So when the user enters the password information I need to store that encrpted in a database. But now when the user sends the user credentials through for a web services then I need to the user to send that password encrpted for security purposes.

Now how can we both have the same ecrption procedure so that I will be able to validate the request.

3 answers

solution1
 4 ACCPTED  2012-03-05 14:41:38

What you want is to use HTTPS connection to transfer the password from the user to the server safely. Here is the explanation on how to set up the development environment with IIS for HTTPS - scottgu link .

HTTPS protocol will handle the encryption and decryption and you just deal with the plain-text password on the server-side.

After that, on the server side, you compute the hash of the password and compare it to the hash stored in the database. Standard ASP.NET SQL membership provider can be used for this.

There is a good explanation from Jeff Atwood on the problems behind storing and hashing passwords - coding horror link .

solution2
 1  2012-03-05 14:41:28

You can encrypt the info you need using System.Security.Cryptography;

have a look at the below:

http://jakkaj.wordpress.com/2007/10/27/encrypting-and-securing-web-service-traffic-without-ssl/

Bear in mind that anything you do to provide "encryption" that isn't using SSL/TLS is likely to be vulnerable

solution3
 1  2012-03-05 14:41:42

If the user's browser in any way knows how to encrypt your password then you kind of lose the point and a smart hacker could extract that encryption.

Using SSL to pass information directly to your application is essentially doing what you're asking and is the accepted secure way to receive the password. You will just have to check against your encrypted version in the database.

Your app receives the password raw (browser and server have taken care of encrypt/decrypt), then your app encrypts it and looks in the database for a match.

The other way this is done with web services is using a single login step that returns an expiring token which is used for further communication. OAuth is the most popular so do some googling on that.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question java client request to web-service(c#) with username and password C# Encrypted Password Pre authenticate web service request in C# Web-Service request with parameter in C# Decrypt in C# a password encrypted in Java Verify password encrypted in php by C# application Unzip password-encrypted files in c# Connection string for password encrypted Sybase in C# How to store Encrypted Password in cookies in C#? C# password doesn't encrypted correctly
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM