WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securing password between webserver & appserver.

From: Nikhil Wagholikar <visitnikhil () gmail com>
Date: Mon, 7 Sep 2009 11:59:19 +0530
Hi Chintan,

May be you can think of One Time Password (OTP) as an alternative to PKI.

---
Nikhil Wagholikar
Practice Lead | Security Assessments & Digital Forensics
Network Intelligence (India) Pvt. Ltd. [NII Consulting]
Web: http://www.niiconsulting.com/
Comprehensive Information Security Training
http://iisecurity.in/courses/Training%20Calendar.html

2009/9/7 Chintan Oza <chintan.oza () gmail com>


Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the
WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI
encryption on the password before submitting the form.

Please suggest if there are any better alternatives.

Thanks,

Chintan
Previous By Date Next
Previous By Thread Next

Current thread: