 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / General / July 2007Does NetworkCredential itself encrypt user credentials?
I have a website (call it WinAuthWeb) that uses Integrated Windows Authentication. In my ASP.NET web application, I collect user name, password and domain info and pass them to WinAuthWeb for authentication (formerly known as NTLM). I construct the user credentials like this: theUserCredential = New NetworkCredential(username, userpassword, userdomain) And attach it to my HttpWebRequest object like this: myRequest.Credentials = userCredential I know that I can create an SSL channel and send this info over, but I am specifically asking about regular HTTP transmission of such data. I captured the traffic using Ethereal, and interestingly, I was not able to find my user credentials in plain text in the packets. I did see the web page returned from WinAuthWeb in plain text. I cannot look into the implementation details of NetworkCredential, so I am wondering if NetworkCredential class actually encrypts the user credentials by default. Or does it Base64-encode it (I know this isn't encryption, and thus insecure, but not human-readable) Anyone knows about this? Thanks if you could share. the security is based on the site. ntlm is challenge/response protocol. the password is never passed, only hashes. if the site is set to basic, then the password is only encoded in base64 and included with the request. -- bruce (sqlwork.com) > I have a website (call it WinAuthWeb) that uses Integrated Windows > Authentication. [quoted text clipped - 25 lines] > > Anyone knows about this? Thanks if you could share. > the security is based on the site. ntlm is challenge/response protocol. > the password is never passed, only hashes. if the site is set to basic, > then the password is only encoded in base64 and included with the request. > > -- bruce (sqlwork.com) Thank you. I am a little bit confused. The security is based on the remote site (in my case, WinAuthWeb)? And for Integrated Windows Authentication, only the hash of the password is sent? If that's the case, it seems to be good enough even if we send such credentials through regular HTTP. What does it mean by "the site is set to basic"? You meant "Basic Authentication" which is one option at the directory security tab of IIS configuration? On Jul 9, 2:49 pm, "antonyliu2...@yahoo.com" <antonyliu2...@yahoo.com> wrote: > > the security is based on the site. ntlm is challenge/response protocol. > > the password is never passed, only hashes. if the site is set to basic, [quoted text clipped - 11 lines] > Authentication" which is one option at the directory security tab of > IIS configuration? OK, I think I am clearer about the situation now. I did a little bit research, and realized (I know this from a long time ago, but just didn't link it properly with my current situation) that Active Directory does not store the user password per se, but instead stores its hash, just like a Unix system. Therefore, just like Bruce Barker has said, if the web site is configured for Integrated Windows Authentication, then the website will only request the hash of the user password, in addition to user name and domain. I guess somehow, something in the NetworkCredential for ASP.NET or the Microsoft.XMLHTTP for classic ASP will take care of the hashing process. Given this understanding, in our web application, even if we connect to the remote web server through HTTP to transmit user credentials for NTLM authentication, we seem to be OK (as long as the password is strong enough to be hash-dictionary-proof). This is my preliminary conclusion. Correct me if I am wrong. That said, we can still easily create an SSL channel in ASP.NET to transmit such sensitive data for added security by implementing our own CertificatePolicy. It is a little harder to do so in classic ASP.
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.