|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Seeking Advice on RSAapplication, and a C# .Net 1.1 forms application to securely get data from a server to the client. The way I have it working now is the C# app posts a request (using HttpWebRequest) that includes a command (that tells the server what data the client wants), an RSA public key, and specific user data for authentication. This information is in the Query String. On the server, the .aspx form that receives this data first checks the user data for authentication. If the user data is authenticated, it then checks the command that was sent by the client. It then responds with XML data that contains the requested data which is encrypted (using Rijndael), and the needed RSA encrypted Key and IV to decrypt the data. The Key and IV are encrypted using the RSA public key sent by the client in the query string. The client then of course receives the xml data, decrypts theRSA encrypted Key and IV, and then decrypts the Rijndael encrypted data. I was hoping to get anyone's opinion on this method. Is there perhaps a better way for the client to send the public key from the client to the server? Is there a way to make the data more secure? Are there any other thoughts on my process? Thanks in advance for your comments. It seems to me that you have handcrafted a "service" (providing data in
xml-format) with this asp.net application. In addition - you are using a certificate to authenticate the application (not the user)? You are sending a publickey to the webapp to authenticate the app + some sort of user data to authenticate him as well? If I've understood this correct - then I would without shadow of doubt go for a WCF service instead. This allows you to specify a series of certificates on the serverside for "accepted" client certificates. In addition - this (WCF) handles out-of-the-box everything related to authentication, (auhorization) and encryption. -- Show quoteHide quotergds. /Claus Konrad "ed" wrote: > I'm working on a project that uses a combination of an ASP .Net 1.1 > application, and a C# .Net 1.1 forms application to securely get data from a > server to the client. > > The way I have it working now is the C# app posts a request (using > HttpWebRequest) that includes a command (that tells the server what data the > client wants), an RSA public key, and specific user data for authentication. > This information is in the Query String. > > On the server, the .aspx form that receives this data first checks the user > data for authentication. If the user data is authenticated, it then checks > the command that was sent by the client. It then responds with XML data that > contains the requested data which is encrypted (using Rijndael), and the > needed RSA encrypted Key and IV to decrypt the data. The Key and IV are > encrypted using the RSA public key sent by the client in the query string. > > The client then of course receives the xml data, decrypts theRSA encrypted > Key and IV, and then decrypts the Rijndael encrypted data. > > I was hoping to get anyone's opinion on this method. Is there perhaps a > better way for the client to send the public key from the client to the > server? Is there a way to make the data more secure? Are there any other > thoughts on my process? > > Thanks in advance for your comments. If you insist on sticking to .NET 1.1.; you might want to take a look at asmx
webservices in combination with WSE 2.0 (SP3). Web Service Enhancements (WSE) allows for a great deal of authentication mechanisms as well as signature options. -- Show quoteHide quotergds. /Claus Konrad "ed" wrote: > I'm working on a project that uses a combination of an ASP .Net 1.1 > application, and a C# .Net 1.1 forms application to securely get data from a > server to the client. > > The way I have it working now is the C# app posts a request (using > HttpWebRequest) that includes a command (that tells the server what data the > client wants), an RSA public key, and specific user data for authentication. > This information is in the Query String. > > On the server, the .aspx form that receives this data first checks the user > data for authentication. If the user data is authenticated, it then checks > the command that was sent by the client. It then responds with XML data that > contains the requested data which is encrypted (using Rijndael), and the > needed RSA encrypted Key and IV to decrypt the data. The Key and IV are > encrypted using the RSA public key sent by the client in the query string. > > The client then of course receives the xml data, decrypts theRSA encrypted > Key and IV, and then decrypts the Rijndael encrypted data. > > I was hoping to get anyone's opinion on this method. Is there perhaps a > better way for the client to send the public key from the client to the > server? Is there a way to make the data more secure? Are there any other > thoughts on my process? > > Thanks in advance for your comments. 
Other interesting topics
Creating MSI for installing .NET security policies
ActiveDirectory group membership in offline profile Help me to understand Code Access Security. I don't get it. Help me to understand ?? Effective FileSystemRights for a WindowsIdentity??? The remote server returned an error: (403) Forbidden in webrequest Which encryption type ???? Why am I not trusted? IL code fails with VerificationException Weird behaviour of the PrincipalPermission attribute |
|||||||||||||||||||||||
