Security Basics: RE: Transmitting Sensitive Information between Servers

["David Gillett" <gillettdavid () fhda edu>]

  That's a good point about hashes.  If the password always encrypts 
to the same thing, an attacker doesn't need to know what the user 
types in -- he can just supply what that looks like when transmitted 
on the network.  This is called a "replay" attack, and is prevented
by introducing a session key or a challenge-response mechanism.
  To "not revealing the password in cleartext transmission", these
add the necessary other property "require the other host to demonstrate
knowledge of the password at this time" which simply sending it
encrypted may not guarantee.

David Gillett


> -----Original Message-----
> From: Chad Perrin [mailto:perrin () apotheon com] 
> Sent: Monday, September 08, 2008 5:51 PM
> To: security-basics () securityfocus com
> Subject: Re: Transmitting Sensitive Information between Servers
>
> On Mon, Sep 08, 2008 at 12:48:23PM -0400, Basha, Arif wrote:
> > We have a policy to not pass user name/password, etc in 
> clear between 
> > servers within our DMZ.  Is this being too pedantic?
> >
> > I would be interested to hear how others have this implemented?
> In general, I'd say that passwords should never be passed in 
> clear text over any network if it's at all possible to avoid. 
>  In fact, passwords should *themselves* not be passed, except 
> in cases of private encrypted tunnels (e.g., SSH tunnel) -- 
> generally, only hashes should be sent between a client and 
> server.  If you have a client/server app that sends an actual 
> password from the client to the server, you have a server 
> that cannot be trusted from the client side.  Servers should 
> deal in hash comparisons and the like -- not in actual 
> password management itself.
>
> --
> Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] 
> Dr. Ron Paul: "Liberty has meaning only if we still believe 
> in it when terrible things happen and a false government 
> security blanket beckons."