Sunday, February 18, 2007

One More Security Model

Here is another security model. We used this in one of our application.



Algorithm

1. Accept Username and pass it to the database in plain text
2. At Database, from username find out the corresponding salt value
3. Encrypt the salt value at database end and pass it on to your app
4. Decrypt the salt value at app level and compute the hashed password at app level
5. Hashed password = salt value + user password
6. Encrypt the hashed password at app level and pass it on to database
7. Decrypt the hashed password at database level and compare it with one stored in database
8. If match is found - pass 1 else pass 0

Assumption

1. No password is stored in database; only hashed password is stored with corresponding salt value and username
2. We have used identical .NET assembly [same algorithm for encrypt,decrypt and hash mechanism] at app and database end. .NET CLR integration is used to implement this dll functionality inside database
3. Webservice is used to communicate with database. HTTP Endpoints and HTTP.SYS is used to create this web service

Platform

Windows 2003, .NET 2.0 and SQL Server 2005,ASP.NET

No comments: