WebApp Sec mailing list archives
Re: Securing password between webserver & appserver.
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Mon, 7 Sep 2009 21:59:55 +0530
Hey Chintan, Yes client side certificates are possible but a big pain if you have a large number of users to whom you have to distribute them too. However I'm curious, a properly implemented salted hash solution where the salt is randomly generated and matched on the server each time the client sends it will prevent a lot of attacks. Note - the server decides the salt, not the client. So while I am not contesting your requirement and your reasons I think that not much harm is done even if the webserver sees the salted-hashed password. It can't be cracked , it can't be replayed so what's the problem? Am I missing something? Cheers Arvind On Mon, Sep 7, 2009 at 11:34 AM, Chintan Oza<chintan.oza () gmail com> wrote:
Dear All, We have a web application which perform user authentication on id+password basis. The architecture is like this. Browser<-HTTPS->WebServer<-->AppServer We have a requirement where password should not be available to the WebServer (even in hashed format). Only solution that I can think of is having an Applet performing PKI encryption on the password before submitting the form. Please suggest if there are any better alternatives. Thanks, Chintan
Current thread:
- Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Nikhil Wagholikar (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 08)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- <Possible follow-ups>
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)