"Jason" <JasonJason@nospam.nospam> wrote in message
news:%23Ei6i80kHHA.4312@TK2MSFTNGP02.phx.gbl...
> OK, go easy, I'm a crypto-newbie, and also not sure if this is the right
> group for this posting.
>
> Here's the scenario:
>
> I have a web site and want business partners to be able to link to my web
> site from theirs, so I provide them the html syntax they can put on their
> site to link to an .aspx page on mine.
>
> If a user is signed on their site, I want that user to be signed on on my
> site, so these corporate partners also have the option of sending
> additional information in the querystring of this link that relays
> information about the user currently logged in at their site (user id,
> name, etc.).
>
> e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'
>
> I want this information to be encrypted so it is secure
>
> e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'
>
> When my target.aspx page gets the request, I can look for the querystring
> parameters (username, id, etc.), decrypt the values, and take some action.
>
> Here's my approach:
>
> After doing some reading, it seems like public-key encryption is the way
> to go. I would provide a public key for each corporate partner to use for
> encrypting these values, and retain a private key for each partner that I
> could use to decrypt the data in the code behind my target.aspx page.
>
> To do this, I'd use either the DSACryptoServiceProvider class or the
> RSACryptoServiceProvider class.
>
> So I have some questions:
>
> 1. Will my corporate partners be able to encrypt their data using the RSA
> (or DSA) library of their choosing?
>
> 2. Must they use the same certain version to encrypt the text as I'll be
> using to decrypt the text? A platform-specific version?
>
> 3. Which of these is the better choice?
>
> 4. Any gotchas I should be aware of (certificates that need to be
> installed on the server, etc.)?
>
> and finally, to keep an open mind,
>
> 5. Is there a better way to solve this need?
>
>
> TIA,
>
> /jason
>

"Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message
news:OzrAYQ4kHHA.208@TK2MSFTNGP05.phx.gbl...
> You are trying to create the equivalent of a federated identity management
> using a custom protocol of your own design.  You would be much more well
> suited using one of the standards-based protocols for implementing
> federated identity such as WS-Federation or SAML 2.0.  WS-Federation is
> the protocol used by Microsoft's ADFS system and is what I would recommend
> here. However, it does place demands on your partners to implement ADFS on
> their side as well.
>
> ADFS does give you a secure, standards-based way of transferring identity
> between partner organizations though with a lot more flexibility than the
> system you have suggested.
>
> That said, encryption isn't really as important here as tamper resistance.
> Essentially, your key goal is to ensure that an end user can't just type
> whatever they want for the user name.  You want to ensure that the value
> was generated by something you trust.
>
> You generally do this with a digital signature or message authentication
> code (MAC).  They are similar, but signatures typically use public/private
> keys where as MACs use symmetric keys.  Symmetric crypto is usually easier
> to code than asymmetric, but the down side is that you need to exchange a
> symmetric key.
>
> Note that if you want any of this to be secure, you need to combine this
> with SSL.  Whether or not you encrypt or sign the value representing the
> username, if someone else can see the query string, they can steal it and
> impersonate the user.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Jason" <JasonJason@nospam.nospam> wrote in message
> news:%23Ei6i80kHHA.4312@TK2MSFTNGP02.phx.gbl...
>> OK, go easy, I'm a crypto-newbie, and also not sure if this is the right
>> group for this posting.
>>
>> Here's the scenario:
>>
>> I have a web site and want business partners to be able to link to my web
>> site from theirs, so I provide them the html syntax they can put on their
>> site to link to an .aspx page on mine.
>>
>> If a user is signed on their site, I want that user to be signed on on my
>> site, so these corporate partners also have the option of sending
>> additional information in the querystring of this link that relays
>> information about the user currently logged in at their site (user id,
>> name, etc.).
>>
>> e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'
>>
>> I want this information to be encrypted so it is secure
>>
>> e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'
>>
>> When my target.aspx page gets the request, I can look for the querystring
>> parameters (username, id, etc.), decrypt the values, and take some
>> action.
>>
>> Here's my approach:
>>
>> After doing some reading, it seems like public-key encryption is the way
>> to go. I would provide a public key for each corporate partner to use for
>> encrypting these values, and retain a private key for each partner that I
>> could use to decrypt the data in the code behind my target.aspx page.
>>
>> To do this, I'd use either the DSACryptoServiceProvider class or the
>> RSACryptoServiceProvider class.
>>
>> So I have some questions:
>>
>> 1. Will my corporate partners be able to encrypt their data using the RSA
>> (or DSA) library of their choosing?
>>
>> 2. Must they use the same certain version to encrypt the text as I'll be
>> using to decrypt the text? A platform-specific version?
>>
>> 3. Which of these is the better choice?
>>
>> 4. Any gotchas I should be aware of (certificates that need to be
>> installed on the server, etc.)?
>>
>> and finally, to keep an open mind,
>>
>> 5. Is there a better way to solve this need?
>>
>>
>> TIA,
>>
>> /jason
>>
>
>

"Jason" <JasonJason@nospam.nospam> wrote in message
news:%23aOjPOAlHHA.1340@TK2MSFTNGP04.phx.gbl...
> Thanks Joe,
>
> I'm not familiar with MACs or digital signatures, but I definitely want to
> know that the request is coming from a trusted source.
>
> How would the MAC or signature be transmitted to my site?
>
> Would it be acceptable to have the partner encrypt the MAC with the
> symmetric key and send it in the querystring as well?
>
>
> /jason
>
>
> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message
> news:OzrAYQ4kHHA.208@TK2MSFTNGP05.phx.gbl...
>> You are trying to create the equivalent of a federated identity
>> management using a custom protocol of your own design.  You would be much
>> more well suited using one of the standards-based protocols for
>> implementing federated identity such as WS-Federation or SAML 2.0.
>> WS-Federation is the protocol used by Microsoft's ADFS system and is what
>> I would recommend here. However, it does place demands on your partners
>> to implement ADFS on their side as well.
>>
>> ADFS does give you a secure, standards-based way of transferring identity
>> between partner organizations though with a lot more flexibility than the
>> system you have suggested.
>>
>> That said, encryption isn't really as important here as tamper
>> resistance. Essentially, your key goal is to ensure that an end user
>> can't just type whatever they want for the user name.  You want to ensure
>> that the value was generated by something you trust.
>>
>> You generally do this with a digital signature or message authentication
>> code (MAC).  They are similar, but signatures typically use
>> public/private keys where as MACs use symmetric keys.  Symmetric crypto
>> is usually easier to code than asymmetric, but the down side is that you
>> need to exchange a symmetric key.
>>
>> Note that if you want any of this to be secure, you need to combine this
>> with SSL.  Whether or not you encrypt or sign the value representing the
>> username, if someone else can see the query string, they can steal it and
>> impersonate the user.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Jason" <JasonJason@nospam.nospam> wrote in message
>> news:%23Ei6i80kHHA.4312@TK2MSFTNGP02.phx.gbl...
>>> OK, go easy, I'm a crypto-newbie, and also not sure if this is the right
>>> group for this posting.
>>>
>>> Here's the scenario:
>>>
>>> I have a web site and want business partners to be able to link to my
>>> web site from theirs, so I provide them the html syntax they can put on
>>> their site to link to an .aspx page on mine.
>>>
>>> If a user is signed on their site, I want that user to be signed on on
>>> my site, so these corporate partners also have the option of sending
>>> additional information in the querystring of this link that relays
>>> information about the user currently logged in at their site (user id,
>>> name, etc.).
>>>
>>> e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'
>>>
>>> I want this information to be encrypted so it is secure
>>>
>>> e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'
>>>
>>> When my target.aspx page gets the request, I can look for the
>>> querystring parameters (username, id, etc.), decrypt the values, and
>>> take some action.
>>>
>>> Here's my approach:
>>>
>>> After doing some reading, it seems like public-key encryption is the way
>>> to go. I would provide a public key for each corporate partner to use
>>> for encrypting these values, and retain a private key for each partner
>>> that I could use to decrypt the data in the code behind my target.aspx
>>> page.
>>>
>>> To do this, I'd use either the DSACryptoServiceProvider class or the
>>> RSACryptoServiceProvider class.
>>>
>>> So I have some questions:
>>>
>>> 1. Will my corporate partners be able to encrypt their data using the
>>> RSA (or DSA) library of their choosing?
>>>
>>> 2. Must they use the same certain version to encrypt the text as I'll be
>>> using to decrypt the text? A platform-specific version?
>>>
>>> 3. Which of these is the better choice?
>>>
>>> 4. Any gotchas I should be aware of (certificates that need to be
>>> installed on the server, etc.)?
>>>
>>> and finally, to keep an open mind,
>>>
>>> 5. Is there a better way to solve this need?
>>>
>>>
>>> TIA,
>>>
>>> /jason
>>>
>>
>>
>
>

"Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message
news:O86QOnAlHHA.3996@TK2MSFTNGP06.phx.gbl...
> Yes, you can do that.  Essentially, a MAC is a hash of some data that has
> been encrypted with a shared key.  To verify the MAC, the "other side"
> decrypts the encrypted hash and then recalculates the hash of the data
> that was provided (the username).  If the hashes match, then the data has
> not been tampered with.
>
> A digital signature is very similar technologically except that it uses an
> asymmetric key pair and generally includes a certificate of some sort so
> that you can verify the identity of the private key holder.  The verifier
> only has the public key (from the certificate), so they cannot actually
> generate the signature themselves, only verify.
>
> The .NET Framework has some nice support for MACs (check out the various
> HMAC classes).
>
> You could pass the MAC as a second query string parameter.  It is
> generally a blob of arbitrary binary, so you may need to base64 encode it.
>
> The main gotcha is that encryption and hashes are performed on binary
> data, not strings.  Strings exist as binary when they have been converted
> to binary by a specific binary encoding.  Thus, you need to use the same
> encoding on both ends.  Usually, you just want to use UTF8 to convert
> string -> binary.  You also need to be careful about any potential URL
> canonicalization issues (url encoding, weird unicode sequences, etc.).
> That can be a little tricky.  However, an 80% solution is probably easily
> doable.
>
> I still think you should use ADFS for this and not invent your own
> protocol, but suit yourself.  :)
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Jason" <JasonJason@nospam.nospam> wrote in message
> news:%23aOjPOAlHHA.1340@TK2MSFTNGP04.phx.gbl...
>> Thanks Joe,
>>
>> I'm not familiar with MACs or digital signatures, but I definitely want
>> to know that the request is coming from a trusted source.
>>
>> How would the MAC or signature be transmitted to my site?
>>
>> Would it be acceptable to have the partner encrypt the MAC with the
>> symmetric key and send it in the querystring as well?
>>
>>
>> /jason
>>
>>
>> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message
>> news:OzrAYQ4kHHA.208@TK2MSFTNGP05.phx.gbl...
>>> You are trying to create the equivalent of a federated identity
>>> management using a custom protocol of your own design.  You would be
>>> much more well suited using one of the standards-based protocols for
>>> implementing federated identity such as WS-Federation or SAML 2.0.
>>> WS-Federation is the protocol used by Microsoft's ADFS system and is
>>> what I would recommend here. However, it does place demands on your
>>> partners to implement ADFS on their side as well.
>>>
>>> ADFS does give you a secure, standards-based way of transferring
>>> identity between partner organizations though with a lot more
>>> flexibility than the system you have suggested.
>>>
>>> That said, encryption isn't really as important here as tamper
>>> resistance. Essentially, your key goal is to ensure that an end user
>>> can't just type whatever they want for the user name.  You want to
>>> ensure that the value was generated by something you trust.
>>>
>>> You generally do this with a digital signature or message authentication
>>> code (MAC).  They are similar, but signatures typically use
>>> public/private keys where as MACs use symmetric keys.  Symmetric crypto
>>> is usually easier to code than asymmetric, but the down side is that you
>>> need to exchange a symmetric key.
>>>
>>> Note that if you want any of this to be secure, you need to combine this
>>> with SSL.  Whether or not you encrypt or sign the value representing the
>>> username, if someone else can see the query string, they can steal it
>>> and impersonate the user.
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "Jason" <JasonJason@nospam.nospam> wrote in message
>>> news:%23Ei6i80kHHA.4312@TK2MSFTNGP02.phx.gbl...
>>>> OK, go easy, I'm a crypto-newbie, and also not sure if this is the
>>>> right group for this posting.
>>>>
>>>> Here's the scenario:
>>>>
>>>> I have a web site and want business partners to be able to link to my
>>>> web site from theirs, so I provide them the html syntax they can put on
>>>> their site to link to an .aspx page on mine.
>>>>
>>>> If a user is signed on their site, I want that user to be signed on on
>>>> my site, so these corporate partners also have the option of sending
>>>> additional information in the querystring of this link that relays
>>>> information about the user currently logged in at their site (user id,
>>>> name, etc.).
>>>>
>>>> e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'
>>>>
>>>> I want this information to be encrypted so it is secure
>>>>
>>>> e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'
>>>>
>>>> When my target.aspx page gets the request, I can look for the
>>>> querystring parameters (username, id, etc.), decrypt the values, and
>>>> take some action.
>>>>
>>>> Here's my approach:
>>>>
>>>> After doing some reading, it seems like public-key encryption is the
>>>> way to go. I would provide a public key for each corporate partner to
>>>> use for encrypting these values, and retain a private key for each
>>>> partner that I could use to decrypt the data in the code behind my
>>>> target.aspx page.
>>>>
>>>> To do this, I'd use either the DSACryptoServiceProvider class or the
>>>> RSACryptoServiceProvider class.
>>>>
>>>> So I have some questions:
>>>>
>>>> 1. Will my corporate partners be able to encrypt their data using the
>>>> RSA (or DSA) library of their choosing?
>>>>
>>>> 2. Must they use the same certain version to encrypt the text as I'll
>>>> be using to decrypt the text? A platform-specific version?
>>>>
>>>> 3. Which of these is the better choice?
>>>>
>>>> 4. Any gotchas I should be aware of (certificates that need to be
>>>> installed on the server, etc.)?
>>>>
>>>> and finally, to keep an open mind,
>>>>
>>>> 5. Is there a better way to solve this need?
>>>>
>>>>
>>>> TIA,
>>>>
>>>> /jason
>>>>
>>>
>>>
>>
>>
>
>