WebApp Sec mailing list archives
Re: advice needed - secure transfer of client details
From: focus () karsites net
Date: Sat, 30 Oct 2004 09:12:40 +0000 (GMT)
Hi Tim, everyone. Interesting problem. I suppose you could send a password with the encrypted data, from your client to the server. On receiving the data from the client, check the validity of the password at the server end. If the password check fails, then assume that the data may have become corrupted as well. Or you could also use various forms of 'proprietory dynamic encryption', and send an 'encryption method key' with the data, to tell the server which decryption method to use, on receipt of the data. You are not actually sending the encryption/decryption key itself, but a hint to the server as to which methods (there could be several proprietory methods) need to be used to decrypt the data). An encryption key could be anything you want to use really. For each field in the input data, a unique code number could be used, stored on the server side, to identify the decryption method required. The Java applet could randomly choose from a pre-defined list, which encryption method it uses for each field at the client end, and build the appropriate 5-part encryption key to send to the server. Eg. if there are five input fields, then the encryption key might be something like this: De25hM:yTm90:A3GhpWm:Kx48qBz:Sn7U9vI When the server receives the above key, it should be able to parse the string into 5 seperate sub-keys, one for each field, then apply the different server decryption methods for each input field, and it's client-sided encrypted data. HTH - Keith Roberts Have you considered using VPN between the client and server, if this is going via the internet? http://www.karsites.net/ On Fri, 29 Oct 2004, Tim James wrote:
To: webappsec () securityfocus com From: Tim James <jimtames () yahoo com> Subject: advice needed - secure transfer of client details Hi all, This is a brain teaser. I have an application to review which supplies details from the client's workstation (derived from files on disk, hostname, IP address). It currently implements a Java applet whose job is to obtain these details and send them up to the server in an ordinary HTTP POST. This sends alarm bells ringing for me. I have developed a simple attack whereby I can replace the applet at will with my own code, which can send different details for workstation ID, hostname, IP address. This falsifies the audit trail from this point on and the server is none the wiser. So, the general problem is this :- How can a client communicate details that are only known to the client, up to a server, in a way that cannot be tampered with ? Why should a server trust the supplied values ? The data for the workstation next to me is known by everyone - why can't I create an applet to reproduce those details, and hence impersonate that workstation ? I have some ideas but none are totally satisfactory. 1) Encrypt the data This shifts the problem to one of key management. 2) Checksum the applet 3) Keep the details on the server in the first place and supply some token from the client which cannot be impersonated I would *really* appreciate a different perspective on this problem because I'm kind of stalled..... Thanks a lot Tim Send instant messages to your online friends http://uk.messenger.yahoo.com
Current thread:
- advice needed - secure transfer of client details Tim James (Oct 29)
- New Whitepaper - "Second-order Code Injection Attacks" WebAppSecurity [Technicalinfo.net] (Nov 01)
- Re: advice needed - secure transfer of client details Peter Conrad (Nov 01)
- Re: advice needed - secure transfer of client details Ido Rosen (Nov 01)
- Re: advice needed - secure transfer of client details focus (Nov 01)
- Re: advice needed - secure transfer of client details GuidoZ (Nov 01)
- Re: advice needed - secure transfer of client details Alex Russell (Nov 01)
- Re: advice needed - secure transfer of client details Richard Moore (Nov 05)
- <Possible follow-ups>
- RE: advice needed - secure transfer of client details Michael Silk (Nov 01)
- RE: advice needed - secure transfer of client details Scovetta, Michael V (Nov 01)
- RE: advice needed - secure transfer of client details Glenn_Everhart (Nov 05)
- re: advice needed - secure transfer of client details Tim James (Nov 05)