custom authentication
-
hello, I want to use custom authentication in my web service project. I use asymetric cryptography for loging on the clients. if its OK. I use symmetric cryptography. In brief like that: 1.clients requests the public key of asymetric cryptography from server. 2.server generates and returns it to the client. 3.client encrypts its username, password and the symmetric cryptography's public key and IV and sends them to the server. 4.Server decrypts and authenticates the username and password. if its OK, generates a GUID ticket and encrytp the ticket using the clients public key and IV and sends it to the client. 5.When client calls a webmethod, it send the encrypted ticket and server authenticates the ticket. I have doupts about the safety of this system. Can any other person access to the ticket and call a webmethod by using this ticket. What should ı do more?
-
hello, I want to use custom authentication in my web service project. I use asymetric cryptography for loging on the clients. if its OK. I use symmetric cryptography. In brief like that: 1.clients requests the public key of asymetric cryptography from server. 2.server generates and returns it to the client. 3.client encrypts its username, password and the symmetric cryptography's public key and IV and sends them to the server. 4.Server decrypts and authenticates the username and password. if its OK, generates a GUID ticket and encrytp the ticket using the clients public key and IV and sends it to the client. 5.When client calls a webmethod, it send the encrypted ticket and server authenticates the ticket. I have doupts about the safety of this system. Can any other person access to the ticket and call a webmethod by using this ticket. What should ı do more?
You don't do encryption and decryption yourself. The proper way to do this is to install certificate on your sever, enable SSL and there should be nothing you need to code yourself, communication between client and server will be encrypted. What to see how to do this?[^] Also, "authentication" and "secured communication between two IP endpoints" (which is done via SSL) are two different issues. Norman Fung
-
You don't do encryption and decryption yourself. The proper way to do this is to install certificate on your sever, enable SSL and there should be nothing you need to code yourself, communication between client and server will be encrypted. What to see how to do this?[^] Also, "authentication" and "secured communication between two IP endpoints" (which is done via SSL) are two different issues. Norman Fung