How to secure a file of usernames and passwords?

Discussion in 'Java' started by Ahmed Moustafa, Aug 9, 2003.

  1. Hi All,

    The application sends files to different FTP servers.
    The application is hosted on a server outside the firewall.
    Where/How could the FTP accounts be stored securely?

    If I encrypt the accounts on the server, I will have keep there e.g. a
    private key to be able to decrypt again, right?

    Is there a standard/common approach to achieve that?

    Thanks in advance!
     
    Ahmed Moustafa, Aug 9, 2003
    #1
    1. Advertising

  2. Chris Smith wrote:
    > Ahmed Moustafa wrote:
    >
    >>Hi All,
    >>
    >>The application sends files to different FTP servers.
    >>The application is hosted on a server outside the firewall.
    >>Where/How could the FTP accounts be stored securely?
    >>
    >>If I encrypt the accounts on the server, I will have keep there e.g. a
    >>private key to be able to decrypt again, right?
    >>
    >>Is there a standard/common approach to achieve that?

    >
    >
    > I'm sorry, but you're not making a lot of sense. Generally, user
    > account information is stored in a server-specific way that is not made
    > accessible over a network. Do you really want to encrypt the transfers?
    > Or are you communicating that account information with clients somehow?
    > Are you concerned about the username and password that are sent by the
    > client to do the FTP?
    >
    > I don't have much information... but it sounds like your security
    > requirements make FTP a poor choice of protocol.


    I am sorry for being not clear at defining the problem.
    The files to be sent are already encrypted, there is no problem with that.
    What needs to be secured is the set of accounts that the files to be
    delievered to.

    Does that make any sense?
     
    Ahmed Moustafa, Aug 10, 2003
    #2
    1. Advertising

  3. Chris Smith wrote:
    > Ahmed Moustafa wrote:
    >
    >>I am sorry for being not clear at defining the problem.
    >>The files to be sent are already encrypted, there is no problem with that.
    >>What needs to be secured is the set of accounts that the files to be
    >>delievered to.
    >>
    >>Does that make any sense?

    >
    >
    > Well, not yet, no. How about answering a few more questions:
    >
    > 1. Where do you store this set of accounts?


    That is my question i.e. do I have to keep the accounts behind the
    firewall? Or can I keep them e.g. encrypted on my server outside the
    firewall?

    > 2. Who are you interested in securing it from?


    The host of the application is a server outside the firewall and itself
    is FTP server, so people connect to put and get files and I am
    interested in securing the accounts from those people.

    > 3. Where exactly does FTP fit into this?


    It is what the application is supposed to perform, sending files to the
    business partners.
     
    Ahmed Moustafa, Aug 10, 2003
    #3
  4. Ahmed Moustafa

    Chris Smith Guest

    Ahmed Moustafa wrote:
    > Chris Smith wrote:
    > > 3. Where exactly does FTP fit into this?

    >
    > It is what the application is supposed to perform, sending files to the
    > business partners.


    Ah, so you're *writing* an FTP server, not using one. Alright then.
    There are two security concerns that come to mind regarding account
    information:

    1. Protecting usernames and passwords from interception as someone is
    logging in to the site. There isn't really any way to accomplish this
    while still using the FTP protocol.

    2. Protecting login info in case the server is compromised. This is
    probably a job for something like the one-way encryption used for UNIX
    passwords. In fact, most FTP application use local OS login accounts,
    so they effectively do this.

    It's worth noting that case 2 is pretty much a lost scenario anyway, so
    I consider it much less important than case 1.

    > > 1. Where do you store this set of accounts?

    >
    > That is my question i.e. do I have to keep the accounts behind the
    > firewall? Or can I keep them e.g. encrypted on my server outside the
    > firewall?


    You could store them behind the firewall and run some kind of an
    authentication server, I suppose. It would be a real pain, and would
    only provide a little additional protection in case of #2 above. It
    still doesn't help with your big gaping security hole; that can't be
    helped while still using the FTP protocol.

    > > 2. Who are you interested in securing it from?

    >
    > The host of the application is a server outside the firewall and itself
    > is FTP server, so people connect to put and get files and I am
    > interested in securing the accounts from those people.


    Well, obviously you wouldn't put account information in a directory
    that's made available by your FTP server... Aside from that, I think
    I've summarized the two main security concerns in my first response
    above.

    --
    www.designacourse.com
    The Easiest Way to Train Anyone... Anywhere.

    Chris Smith - Lead Software Developer/Technical Trainer
    MindIQ Corporation
     
    Chris Smith, Aug 10, 2003
    #4
  5. Brian Palmer wrote:

    >>1. Protecting usernames and passwords from interception as someone is
    >>logging in to the site. There isn't really any way to accomplish this
    >>while still using the FTP protocol.

    >
    >
    > One-time Passcodes would work, actually. (OK, they'd likely be a pain
    > for users, unless a smart card that generates the passcodes is
    > used).


    What smart card do you mean?
     
    Ahmed Moustafa, Aug 11, 2003
    #5
  6. Ahmed Moustafa

    Brian Palmer Guest

    Ahmed Moustafa <> writes:

    > Brian Palmer wrote:
    >
    > >> 1. Protecting usernames and passwords from interception as someone
    > >> is logging in to the site. There isn't really any way to
    > >> accomplish this while still using the FTP protocol.

    >
    > > One-time Passcodes would work, actually. (OK, they'd likely be a pain

    >
    > > for users, unless a smart card that generates the passcodes is
    > > used).

    >
    > What smart card do you mean?


    I wasn't thinking of any in particular; I just know that there exist
    smart cards which handle one-time passcodes. A google search for smart
    card one-time passcode (or password) turned up a few.

    --
    See comp.lang.java.announce for java-related announcements
     
    Brian Palmer, Aug 20, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Buchmann

    Passwords in web.config... is this secure?

    John Buchmann, Dec 15, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    5,157
    Munsifali Rashid
    Dec 15, 2003
  2. tma
    Replies:
    2
    Views:
    513
    Patrice
    Sep 7, 2004
  3. Titus A Ducksass
    Replies:
    3
    Views:
    510
    brucie
    Dec 25, 2003
  4. Max
    Replies:
    5
    Views:
    371
    Harry George
    Aug 11, 2004
  5. Replies:
    14
    Views:
    270
    Eric Bohlman
    Oct 14, 2005
Loading...

Share This Page