All geek questions in one place

How can I encrypt a user password in Silverlight?

I have a Silverlight 3 application that connects to a server to perform various actions. My users are logged in using forms authentication, but the actions they request are triggered on the server using the AppPool account, so when they log into the audit logs, they are logged into the AppPool account. PCI DSS rules now require that the user's own identifier be in the audit logs, which means that the action must be performed using user credits. Now I can save user accounts when they log in and send them with each request, and the actions taken by the server can use these loans. But PCI regs say that if creds are saved, they must be encrypted (to avoid having someone take a memory dump on a PC and get a password).

The only way I can do this is to get the public key from the server and encrypt it using a password, and then send the encrypted password and decrypt it on the server using the private key. But Silverlight does not have asymmetric cryptography.

I think I'm too close to the problem, and there should be a different solution, but I donโ€™t see what it is. Can anyone help?

EXPLANATIONS

This is an internal application. So far I have used IIS Forms AuthN over SSL in Active Directory - I do not worry about password protection in transit while it is stored in memory on the client. As far as I understand, since I use forms-based authentication, there can be no impersonation on the server unless I use LogonUser, which means that I need a password on the server, so I need to transfer it every time, so I need to hold it in the client, in memory, until the application closes.

+4
source share
2 answers

Are you claiming that you need to save the password for reuse in the silverlight application? If you are worried that the password that appears in memory is not encrypted, then Silverlight, then I think you have problems.

The .NET platform has a SecureString class for a specific purpose.

Unfortunately, the Silverlight version for this class does not have this class. Therefore, even if you must keep the logical store of the password encrypted at some point, your code will need to decrypt it before using it. At the point, memory containing the string in unencrypted form is allocated.

I don't know much about form authentication, but if you can map the User principle to a domain user (which you think you need), you'll want to use impersonation when running your code on the server.

Alternatively, stop using forms authentication and use integrated Windows authentication, where you can definitely use server-side impersonation.

+1
source

Encryption should never be used for passwords. When you encrypt something, it follows that there must be a way to decrypt it. For passwords, you always need to use hashes in one direction. md5 and sha1 were too weak for any secuirty system. Sha256 should be used, and in Silverlight this library will take care of this: http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256%28VS.95%29.aspx

In fact, saving passwords using "encryption" is recognized by the CWE-257 vulnerability family. Using message digest is ONLY a way to securely store passwords. I didnโ€™t just do it, it comes from NIST. There are many other password storage vulnerabilities. Here is the LIST that NIST compiled:

0
source

Source: https://habr.com/ru/post/1300758/

More articles:


All Articles