Security Basics mailing list archives
RE: Transmitting Sensitive Information between Servers
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 10 Sep 2008 15:52:55 -0700
That's a good point about hashes. If the password always encrypts to the same thing, an attacker doesn't need to know what the user types in -- he can just supply what that looks like when transmitted on the network. This is called a "replay" attack, and is prevented by introducing a session key or a challenge-response mechanism. To "not revealing the password in cleartext transmission", these add the necessary other property "require the other host to demonstrate knowledge of the password at this time" which simply sending it encrypted may not guarantee. David Gillett
-----Original Message----- From: Chad Perrin [mailto:perrin () apotheon com] Sent: Monday, September 08, 2008 5:51 PM To: security-basics () securityfocus com Subject: Re: Transmitting Sensitive Information between Servers On Mon, Sep 08, 2008 at 12:48:23PM -0400, Basha, Arif wrote:We have a policy to not pass user name/password, etc inclear betweenservers within our DMZ. Is this being too pedantic? I would be interested to hear how others have this implemented?In general, I'd say that passwords should never be passed in clear text over any network if it's at all possible to avoid. In fact, passwords should *themselves* not be passed, except in cases of private encrypted tunnels (e.g., SSH tunnel) -- generally, only hashes should be sent between a client and server. If you have a client/server app that sends an actual password from the client to the server, you have a server that cannot be trusted from the client side. Servers should deal in hash comparisons and the like -- not in actual password management itself. -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Dr. Ron Paul: "Liberty has meaning only if we still believe in it when terrible things happen and a false government security blanket beckons."
Current thread:
- RE: DMZ Web Servers, (continued)
- RE: DMZ Web Servers Lafosse, Ricardo (Sep 08)
- Re: DMZ Web Servers Adriel Desautels (Sep 08)
- Transmitting Sensitive Information between Servers Basha, Arif (Sep 08)
- Re: Transmitting Sensitive Information between Servers Ben Preston (Sep 08)
- RE: Transmitting Sensitive Information between Servers Thevendriya, Arvind (Sep 08)
- Re: Transmitting Sensitive Information between Servers Nathaniel Hall (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chad Perrin (Sep 10)
- Re: Transmitting Sensitive Information between Servers Ansgar Wiechers (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chris Benedict (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chad Perrin (Sep 10)
- RE: Transmitting Sensitive Information between Servers David Gillett (Sep 11)
- TrueCrypt Basiru Ndow (Sep 10)
- Re: TrueCrypt Marc-André Laverdière (Sep 11)