Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Languages / C# / July 2008

Tip: Looking for answers? Try searching our database.

Security Question

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
jehugaleahsa@gmail.com - 30 Jul 2008 00:07 GMT
What type of security measures does, say, a database management
systems take in order to prevent a person from retransmitting logon
information that was captured from a sniffer?

There must be some way to prevent this from happening. I mean, anyone
could capture the data sent back and forth between a client and server
and just resend the exact same information in order to duplicate the
transaction, regardless of encryption.

I mean, connecting to a database is nothing more than bits being sent
over a network. The database processes those bits and simply creates a
session for that connection information. What prevents someone from
duplicating those bits and creating their own session?

Am I making myself clear?

I am asking because I know a lot of people who have resolved some of
their authentication issues by creating web services that return a
GUID once a user is authenticated. The GUID is kept alive in a
session, typically. When a request is sent to the web service, the
GUID is used to verify that the user is logged in. However, if this
GUID is passed over the network, couldn't anyone capture it and
immitate the session?

I guess that brings up another good question: where are session values
stored? I thought that they were implemented with cookies, which are
stored on the client. However, I am given the impression that they are
stored on the server. Just some confusion.

Is there are way to prevent someone from taking your credentials,
encrypted or not, and resending them to the server? I mean, private /
public key pairs even seem worthless because the public key can be
captured and they really don't really prevent the database from
interpretting the bits. Perhaps the trick is that the database
encrypts the response given the client's public key, thus making it
impossible for you to interpret the response.

But, in the case of the GUID, if that is all that is needed to delete
a record, then that is nothing to entrust.

I hope I am making sense.

Thanks,
Travis
Reply to this Message
Ken Foskey - 30 Jul 2008 01:24 GMT
> What type of security measures does, say, a database management systems
> take in order to prevent a person from retransmitting logon information
> that was captured from a sniffer?

They use an encrypted tunnel.  For example HTTPS is HTTP over SSL
encryption.  These use public and private keys it works like this you
create a key pair, a private one that only you have and a public one that
you give out to anyone.   The DB signon gives you its public key and you
encrypt your message with it,  the only person that can decrypt it is the
one holding the private key.   Double encryption is you encrypt with you
private key and the receivers public key, then only the receiving party
can read it and they absolutely know that you sent it.

Ken
Reply to this Message
jehugaleahsa@gmail.com - 30 Jul 2008 01:35 GMT
> > What type of security measures does, say, a database management systems
> > take in order to prevent a person from retransmitting logon information
[quoted text clipped - 10 lines]
>
> Ken

Maybe I don't understand.
Reply to this Message
Ken Foskey - 30 Jul 2008 02:04 GMT
>> > What type of security measures does, say, a database management
>> > systems take in order to prevent a person from retransmitting logon
[quoted text clipped - 13 lines]
>
> Maybe I don't understand.

Look up SSL on the internet.   It creates a tunnel that text goes into
and out of at the ends but it is encrypted whenever it is on the network.

Ken
Reply to this Message
jehugaleahsa@gmail.com - 30 Jul 2008 04:02 GMT
> >> > What type of security measures does, say, a database management
> >> > systems take in order to prevent a person from retransmitting logon
[quoted text clipped - 20 lines]
>
> - Show quoted text -

What about my question about simply duplicating a transaction?
Reply to this Message
Ken Foskey - 30 Jul 2008 04:55 GMT
>> >> > What type of security measures does, say, a database management
>> >> > systems take in order to prevent a person from retransmitting
[quoted text clipped - 23 lines]
>
> What about my question about simply duplicating a transaction?

Because each session is created individually, the private key on the
client end is 'private' you cannot break what is sent without it.*

You cannot replay an encrypted sequence because each encryption is unique.

Ken

* Yes you can break it it is not practical using current hardware.
Reply to this Message
rossum - 30 Jul 2008 15:41 GMT
>What type of security measures does, say, a database management
>systems take in order to prevent a person from retransmitting logon
>information that was captured from a sniffer?
This is called a Replay Attack:
http://en.wikipedia.org/wiki/Replay_attack

The basic countermeasure is to have something unique to each session
that an attacker cannot easily guess.  A replay of a previous session
would have the wrong "something unique" and so be rejected.

rossum
Reply to this Message
Hans Kesting - 31 Jul 2008 08:47 GMT
jehugaleahsa@gmail.com expressed precisely :

> I guess that brings up another good question: where are session values
> stored? I thought that they were implemented with cookies, which are
> stored on the client. However, I am given the impression that they are
> stored on the server. Just some confusion.

The Session information is stored on the server-side. A single cookie
is "stored" (it's a temporary cookie) on the client computer, to hold
the session ID. IIRC the session ID is unique for each session, at
least as long as the server is not restarted.

ASP.Net can use different session-stores:
* InProc or "in memory" (the default setting), where the session is
kept in webserver memory. By default this has a sliding timeout of 20
minutes: if no request way done for this session in the last 20
minutes, the information is removed from the server.
* StateServer: a different process (maybe on a different machine) keeps
the information in memory. You can only store serializeble objects this
way. Works well with webgardens or farms.
* SqlServer: the information is stored in a special database in
SqlServer. Also only for serializable objects and good for gardens and
farms.

Hans Kesting
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.