I have used OAuth multiple times before for web applications.
However I am now looking into desktop applications and security issues involved.
Obviously public and private keys have to be stored somewhere, so how can I overcome the potential issue that someone will take the desktop application I create and steal the keys from it?
Cheers,
Thomas.
You can't. As long as you're planning on authenticating without going to a server, then the machine and private keys can be compromized.
You can reduce your vulnerability by encrypting your keys until the moment you need them, but at some point in time, your key will be in memory and viewable by a skilled and focused computer savvy thief.
i think i came up with some sort of a solution.
you could make a server for your desktop application that will interact with OAuth provider,
just like you do with a web application.
then you make an additional username and password for your webserver for each user.
so the user has to login to your desktop application (here is a desktop-server interaction to validate the user)
then enable user to connect to your server and make the heavy work.
Related
I wish to extract login details entered into a web interface and alter them before they reach the database server. This is for a project where the intention is to create an app that allows for more secure passwords that are salted and hashed (for use on legacy systems).
I have created a WAMP server and have the webpages and database linked and operational.
I have written a Java app to make the required changes to the passwords.
Problem
I thought I could use RESTful services to extract the username and password, but it didn't work.
Is there any app that will allow me to do this?
I'm apprehensive to stage a Man in the Middle attack as it kind of defeats the purpose of making the system more secure. Thanks
For a particular client/server game written in C++, I would like to develop a 'Login Server', so players can be individually tracked by a game server. However, I am averse to reinventing the wheel, and although I have unorthadox requirements, I want to know if what I am looking for has an already established implementation.
What I want is something like OpenID, where there is no authoritative login server. I want there to potentially be many login servers, and all a game server knows for sure is that the guy who used a specific login server with a specific username is the same as the guy who used that login server with that username last time.
Well, why not use OpenID, since I mentioned it by name? It's too web-centric. I don't want to put a browser in my game or in the launcher in order for people to pass their credentials to the login server when they want to play on a specific game server. In fact, a system that is agnostic to the protocol would be preferred, so the login server, game client and game server can all communicate using the same UDP infrastructure that the game client and server already has in place.
Some guidance in this area would be appreciated. I'd really prefer not to have to come up with the entire system myself, because authentication and security are tough problems.
OpenID binds your users to particular servers. For example, if a user comes from a http://openid.net/theusername you can store this information but from this time, the user just has to use the same authentication server and if the server is down, there is a difficult scenario on how to migrate an account to another identity (another provider).
On the other hand, if you rely on Oauth2 authentication and make email your primary recognized identity, users could authenticate with dozen of different providers you set up (Google, Facebook, Twitter, Linkedin) and you can trust providers that the email has been verified prior to authentication (this is how identity providers work).
I would then strongly recommend OAuth2. You still doesn't impose any specific provider and let your users to pick up their favourite one but in the same time you have quite reliable information, email, which can be used as a communication channel to send any information from your application to your users.
We are developing a couple of web applications and web services for our intranet. To access resources like databases or other data sources we use technical domain users and store their credentials in the config file of the web apps. Passwords must be encrypted before written to the file. (The application then have to decrypts it to access the resources.)
We do this for quite a while but now a discussion came up. Our server operations team suddenly considers it unsecure to store the passwords in config files because an attacker might successfully decrypt it, maybe by analyzing the little tool used for encryption. (It's written in .Net so indeed it's not really hard to analyse the used algorithm by using Reflector & Co.)
As an alternative they proposed to use the technical user account as app pool security context. But I'm not sure if this doesn't mean to replace one possible security hole by an actual one: If the app pool runs under the context of the domain user, the attacker dont't have to know the password anymore. He simply can use security holes in the application or try to run his own code under this app pool somehow.
What do you mean? Is there a best practice to deal with passwords in web applications?
Thanks,
Rocko
Its a very common practice for a domain user to run the app. Just ensure that account has a really small footprint - only what is needed.
Hi and thanks in advance,
I am looking for industry best practice or a ready made app to store and share passwords for for network resources.
My current situation is that I have a number of people that need to access applications as a specific superuser in order to access some features of these applications. The applications are third party build and cannot be changes to grant access to the required features for anyone but the superuser account. Normal admin accounts have elevated rights but things like creating accounts have to be done via the superuser account.
For security reasons I would like to periodically change the superuser accounts' password. Because of the number of people that need to be able to log in as superuser changing the password would be problematic and a logistical nightmare.
I'm looking to purchase or create an application that would:
Track who is looking up the password and to what resource
Allow me to specify what passwords a user can retrieve
The data should be stored and transmitted ultra securely
Preferable this would be an on-line application (I have Mac and Windows clients)
Keypass is great for this kind of thing. It provides a strong encrypted database of passwords and secure information. This can be accessed share via svn/dropbox/fileshare implementations using a master password.
This is more for a master database of secure data you can set up additional databases, maybe per user, but it starts to get a little away from what it's deigned for.
I would do a C# app that checks with a web service if the user can run the app and with what permissions, it would then be sent the encrypted credentials for a 1 time run, the service would log the request. This would all have to be done securely, so the service would use SSL and preferably certs between the systems. You have a good bit of research here to figure this all out, and you might have to use Java if you want mac... but I dont know how well that can launch apps as other users.
Solution #2 would be to use KeePass. You will have to be creative.
We're developing a REST API to be consumed by a couple of mobile applications. It's important that we're able to trust the identities of these mobile applications. In our current design, each API call is authenticated with an "API Key" parameter and secured with HTTPS.
My concern is that the API Key is embedded within each copy of the mobile app, which means there's no way we can keep it secret. It will be on thousands of phones, and theoretically any hacker with a binary editor or HTTP Traffic analyzer could extract the API key and then 'pose as' one of the applications, sending us requests that we'd have no choice but to trust. Client certificates would appear to have the same risk.
Is there an architecture that solves this problem?
It is being discussed from time to time in different places including StackOverflow. In brief - whatever you put to user's possession is not yours anymore. You can obfuscate the private key, of course, yet I see at least three ways to bypass your security measures.
The only way to solve a problem could be to employ cryptographic device (smartcard or USB cryptotoken) which keeps private and secret keys and doesn't let them out, however with handhelds use of such devices is quite complicated (if not impossible) from both technical and usability points of view.
Also you might want to reconsider your approach and let any client software use the service given that they pay for it. And your server will authenticate users and not software. Then the topic of keeping login data secret will be users' task.