RSACryptoServiceProvider in ASP.Net 2.0

Discussion in 'ASP .Net Security' started by anoop, Feb 28, 2007.

  1. anoop

    anoop Guest

    Hello,
    If I use RSACryptoServiceProvider in ASP.Net, it can only be
    implemented at Server Side. But Authentication Credentials are still passing
    in clear text from Client to Server. What should I do to encrypt passing of
    Authentication Credentials from Client to Server

    Thank you.
     
    anoop, Feb 28, 2007
    #1
    1. Advertising

  2. You can't do that easily - and it doesn't make sense.

    What you really want is SSL protecting the complete connection...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hello,
    > If I use RSACryptoServiceProvider in ASP.Net, it can only be
    > implemented at Server Side. But Authentication Credentials are still
    > passing
    > in clear text from Client to Server. What should I do to encrypt
    > passing of Authentication Credentials from Client to Server
    >
    > Thank you.
    >
     
    Dominick Baier, Feb 28, 2007
    #2
    1. Advertising

  3. anoop

    anoop Guest

    Hello,
    I have also implemented SSL, but if I intercept the Authentication
    Credentials in intercepting Proxy such as PAROS or Burp Proxy. As these
    intercepting proxies send their own certificates, login Credentials can still
    be seen in clear text passing from client to Server.

    Thank you
    "Dominick Baier" wrote:

    > You can't do that easily - and it doesn't make sense.
    >
    > What you really want is SSL protecting the complete connection...
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Hello,
    > > If I use RSACryptoServiceProvider in ASP.Net, it can only be
    > > implemented at Server Side. But Authentication Credentials are still
    > > passing
    > > in clear text from Client to Server. What should I do to encrypt
    > > passing of Authentication Credentials from Client to Server
    > >
    > > Thank you.
    > >

    >
    >
    >
     
    anoop, Mar 1, 2007
    #3
  4. anoop

    Joe Kaplan Guest

    You can't do anything about this really. If you introduce a "man in the
    middle" scenario with a load balancer or proxy like you are doing that
    supports SSL termination, then that's a risk you are taking. In that case,
    someone would need to give the proxy the certificate your web server uses,
    so I'd assume these risks were considered, right? Some of these types of
    devices can reinitiate SSL back to the web server as well and thus provide
    end to end encryption. We typically use this type of behavior with our load
    balancers in our data center to ensure traffic is encrypted end to end.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "anoop" <> wrote in message
    news:...
    >
    > Hello,
    > I have also implemented SSL, but if I intercept the Authentication
    > Credentials in intercepting Proxy such as PAROS or Burp Proxy. As these
    > intercepting proxies send their own certificates, login Credentials can
    > still
    > be seen in clear text passing from client to Server.
    >
    > Thank you
    > "Dominick Baier" wrote:
    >
    >> You can't do that easily - and it doesn't make sense.
    >>
    >> What you really want is SSL protecting the complete connection...
    >>
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >>
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >> > Hello,
    >> > If I use RSACryptoServiceProvider in ASP.Net, it can only be
    >> > implemented at Server Side. But Authentication Credentials are still
    >> > passing
    >> > in clear text from Client to Server. What should I do to encrypt
    >> > passing of Authentication Credentials from Client to Server
    >> >
    >> > Thank you.
    >> >

    >>
    >>
    >>
     
    Joe Kaplan, Mar 1, 2007
    #4
  5. anoop

    Jamieson Guest

    the only way that you can encrypt the communications is by using SSL. This can be setup internally using Windows Server, or by purchasing an SSL certificate if it's an internet application. I've always used verisign.
    ---
    Posted via DotNetSlackers.com
     
    Jamieson, Mar 30, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    925
  2. dfa_geko

    RSACryptoServiceProvider class

    dfa_geko, Apr 11, 2007, in forum: ASP .Net
    Replies:
    0
    Views:
    488
    dfa_geko
    Apr 11, 2007
  3. Steven Licciardi

    RSACryptoServiceProvider

    Steven Licciardi, Sep 17, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    122
    Steven Licciardi
    Sep 17, 2004
  4. Glenn
    Replies:
    3
    Views:
    217
    Glenn
    Nov 26, 2004
  5. C

    .NET RSACryptoServiceProvider Class

    C, May 15, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    135
Loading...

Share This Page