RSACryptoServiceProvider in ASP.Net 2.0

[anoop]

Hello,
If I use RSACryptoServiceProvider in ASP.Net, it can only be
implemented at Server Side. But Authentication Credentials are still passing
in clear text from Client to Server. What should I do to encrypt passing of
Authentication Credentials from Client to Server

Thank you.

 

[Dominick Baier]

You can't do that easily - and it doesn't make sense.

What you really want is SSL protecting the complete connection...

 

[anoop]

Hello,
I have also implemented SSL, but if I intercept the Authentication
Credentials in intercepting Proxy such as PAROS or Burp Proxy. As these
intercepting proxies send their own certificates, login Credentials can still
be seen in clear text passing from client to Server.

Thank you

 

[Joe Kaplan]

You can't do anything about this really. If you introduce a "man in the
middle" scenario with a load balancer or proxy like you are doing that
supports SSL termination, then that's a risk you are taking. In that case,
someone would need to give the proxy the certificate your web server uses,
so I'd assume these risks were considered, right? Some of these types of
devices can reinitiate SSL back to the web server as well and thus provide
end to end encryption. We typically use this type of behavior with our load
balancers in our data center to ensure traffic is encrypted end to end.

Joe K.

 

[Jamieson]

the only way that you can encrypt the communications is by using SSL. This can be setup internally using Windows Server, or by purchasing an SSL certificate if it's an internet application. I've always used verisign.