WebApp Sec: Re: Securing password between webserver & appserver.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: Securing password between webserver & appserver.

From: Nikhil Wagholikar <visitnikhil () gmail com>
Date: Mon, 7 Sep 2009 11:59:19 +0530

Hi Chintan,

May be you can think of One Time Password (OTP) as an alternative to PKI.

---
Nikhil Wagholikar
Practice Lead | Security Assessments & Digital Forensics
Network Intelligence (India) Pvt. Ltd. [NII Consulting]
Web: http://www.niiconsulting.com/
Comprehensive Information Security Training
http://iisecurity.in/courses/Training%20Calendar.html

2009/9/7 Chintan Oza <chintan.oza () gmail com>


Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the
WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI
encryption on the password before submitting the form.

Please suggest if there are any better alternatives.

Thanks,

Chintan

By Date By Thread

Current thread:

Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Nikhil Wagholikar (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
  - Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
    - Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)