How to secure a file of usernames and passwords?

Discussion in 'Java' started by Ahmed Moustafa, Aug 9, 2003.

  1. Hi All,

    The application sends files to different FTP servers.
    The application is hosted on a server outside the firewall.
    Where/How could the FTP accounts be stored securely?

    If I encrypt the accounts on the server, I will have keep there e.g. a
    private key to be able to decrypt again, right?

    Is there a standard/common approach to achieve that?

    Thanks in advance!
     
    Ahmed Moustafa, Aug 9, 2003
    #1
    1. Advertisements

  2. I am sorry for being not clear at defining the problem.
    The files to be sent are already encrypted, there is no problem with that.
    What needs to be secured is the set of accounts that the files to be
    delievered to.

    Does that make any sense?
     
    Ahmed Moustafa, Aug 10, 2003
    #2
    1. Advertisements

  3. That is my question i.e. do I have to keep the accounts behind the
    firewall? Or can I keep them e.g. encrypted on my server outside the
    firewall?
    The host of the application is a server outside the firewall and itself
    is FTP server, so people connect to put and get files and I am
    interested in securing the accounts from those people.
    It is what the application is supposed to perform, sending files to the
    business partners.
     
    Ahmed Moustafa, Aug 10, 2003
    #3
  4. Ahmed Moustafa

    Chris Smith Guest

    Ah, so you're *writing* an FTP server, not using one. Alright then.
    There are two security concerns that come to mind regarding account
    information:

    1. Protecting usernames and passwords from interception as someone is
    logging in to the site. There isn't really any way to accomplish this
    while still using the FTP protocol.

    2. Protecting login info in case the server is compromised. This is
    probably a job for something like the one-way encryption used for UNIX
    passwords. In fact, most FTP application use local OS login accounts,
    so they effectively do this.

    It's worth noting that case 2 is pretty much a lost scenario anyway, so
    I consider it much less important than case 1.
    You could store them behind the firewall and run some kind of an
    authentication server, I suppose. It would be a real pain, and would
    only provide a little additional protection in case of #2 above. It
    still doesn't help with your big gaping security hole; that can't be
    helped while still using the FTP protocol.
    Well, obviously you wouldn't put account information in a directory
    that's made available by your FTP server... Aside from that, I think
    I've summarized the two main security concerns in my first response
    above.

    --
    www.designacourse.com
    The Easiest Way to Train Anyone... Anywhere.

    Chris Smith - Lead Software Developer/Technical Trainer
    MindIQ Corporation
     
    Chris Smith, Aug 10, 2003
    #4
  5. What smart card do you mean?
     
    Ahmed Moustafa, Aug 11, 2003
    #5
  6. Ahmed Moustafa

    Brian Palmer Guest

    I wasn't thinking of any in particular; I just know that there exist
    smart cards which handle one-time passcodes. A google search for smart
    card one-time passcode (or password) turned up a few.
     
    Brian Palmer, Aug 20, 2003
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.