All geek questions in one place

What is the best way to encrypt on the Internet and decrypt on a private network?

I have a site with confidential information. I also have a private network (closed to the Internet) on which the data on my website is synchronized.

I have user accounts that access the website using the private identifier and password that they choose. And I want to know their passwords from the internal network (closed).

So, I was thinking about using two types of encryption. HASH (1-way) for login and authentication. And RSA (public key) for encrypting the password on my website and decrypting it using the private key in my private network.

I wanted to know if my method is sufficiently secure (or perhaps too secure?), Or is there a better option.

And also, which library should I use for RSA encryption?

Thanks in advance, Amir.

+4
source share
3 answers

You can use System.Security.Cryptography.RSACryptoServiceProvider both for encrypting the password for your private network, and for the hash function for authentication. An ordinary password encrypted with a public key should be as secure as any other native hash function (for example, SHA-1), although it will be slightly longer than the standard output of the hash function.

+2
source

I will not develop any proprietary security schemes if you do not need it. And at the moment there is no such thing as excessive protection, because any security scheme (including SSL) can be violated. Own mechanisms are generally considered less secure but more obscure, and often the people who write them believe that security from confusion gives them protection. But overall it is the other way around. Your own obscurity will not allow you to easily identify security holes, while someone who wants to access your data will have enough experience and knowledge to divide your security into parts.

  • If you have a web application, you must explicitly use SSL between users' servers and web browsers. It will protect (as much as possible) all communications between the browser and your web server. In your scenario, what prevents someone from simply sniffing out your hash and then using it to log in to someone else's account. If all you check is a hash, and all you ask is they just send it.

  • Once the data has returned to your server, it should be protected in the same way that you protect it on a public network. Keep in mind that more than 90% of security breaches (no, I don’t remember where I get the stat, but I read a lot on this topic) come from within your own company. Dissatisfied employees want to do more damage, or hackers break into the internal machine (possibly using social engineering, which is usually the weak point for most companies), and then find that you do not have protection inside your own network.

  • Are you absolutely sure that you need to store internal passwords? Generally, the only thing you need to store in your authentication database is password hashing (which also needs to be preloaded to make rainbow table attacks more complex). If your database is compromised and the hashes are stolen, it will still be very difficult to figure out what username passwords really are. Although I don’t care how most websites work, if I find that I am dealing with a company that has my confidential information and the password is stored in clear text, I usually take my business elsewhere.

0
source

You should be more visible: "I want to know their password"

After reading your question, I would say: if you use the web form for authentication and perform HTTP / HTTPS, I would put the reverse proxy to my WEB server and end the SSL connections there, after reading the HTTP traffic to clear the text and save the password. Please note that this has many ethical and confidential consequences.

0
source

Source: https://habr.com/ru/post/1382065/

More articles:


All Articles