Security Question

[jehugaleahsa]

What type of security measures does, say, a database management
systems take in order to prevent a person from retransmitting logon
information that was captured from a sniffer?

There must be some way to prevent this from happening. I mean, anyone
could capture the data sent back and forth between a client and server
and just resend the exact same information in order to duplicate the
transaction, regardless of encryption.

I mean, connecting to a database is nothing more than bits being sent
over a network. The database processes those bits and simply creates a
session for that connection information. What prevents someone from
duplicating those bits and creating their own session?

Am I making myself clear?

I am asking because I know a lot of people who have resolved some of
their authentication issues by creating web services that return a
GUID once a user is authenticated. The GUID is kept alive in a
session, typically. When a request is sent to the web service, the
GUID is used to verify that the user is logged in. However, if this
GUID is passed over the network, couldn't anyone capture it and
immitate the session?

I guess that brings up another good question: where are session values
stored? I thought that they were implemented with cookies, which are
stored on the client. However, I am given the impression that they are
stored on the server. Just some confusion.

Is there are way to prevent someone from taking your credentials,
encrypted or not, and resending them to the server? I mean, private /
public key pairs even seem worthless because the public key can be
captured and they really don't really prevent the database from
interpretting the bits. Perhaps the trick is that the database
encrypts the response given the client's public key, thus making it
impossible for you to interpret the response.

But, in the case of the GUID, if that is all that is needed to delete
a record, then that is nothing to entrust.

I hope I am making sense.

Thanks,
Travis

 

[Ken Foskey]

What type of security measures does, say, a database management systems
take in order to prevent a person from retransmitting logon information
that was captured from a sniffer?

They use an encrypted tunnel. For example HTTPS is HTTP over SSL
encryption. These use public and private keys it works like this you
create a key pair, a private one that only you have and a public one that
you give out to anyone. The DB signon gives you its public key and you
encrypt your message with it, the only person that can decrypt it is the
one holding the private key. Double encryption is you encrypt with you
private key and the receivers public key, then only the receiving party
can read it and they absolutely know that you sent it.

Ken

 

[jehugaleahsa]

They use an encrypted tunnel.  For example HTTPS is HTTP over SSL
encryption.  These use public and private keys it works like this you
create a key pair, a private one that only you have and a public one that
you give out to anyone.   The DB signon gives you its public key and you
encrypt your message with it,  the only person that can decrypt it is the
one holding the private key.   Double encryption is you encrypt with you
private key and the receivers public key, then only the receiving party
can read it and they absolutely know that you sent it.

Ken

Maybe I don't understand.

 

[Ken Foskey]

Maybe I don't understand.

Look up SSL on the internet. It creates a tunnel that text goes into
and out of at the ends but it is encrypted whenever it is on the network.

Ken

 

[jehugaleahsa]

Look up SSL on the internet.   It creates a tunnel that text goes into
and out of at the ends but it is encrypted whenever it is on the network.

Ken- Hide quoted text -

- Show quoted text -

What about my question about simply duplicating a transaction?

 

[Ken Foskey]

What about my question about simply duplicating a transaction?

Because each session is created individually, the private key on the
client end is 'private' you cannot break what is sent without it.*

You cannot replay an encrypted sequence because each encryption is unique.

Ken

* Yes you can break it it is not practical using current hardware.

 

[Hans Kesting]

(e-mail address removed) expressed precisely :

I guess that brings up another good question: where are session values
stored? I thought that they were implemented with cookies, which are
stored on the client. However, I am given the impression that they are
stored on the server. Just some confusion.

The Session information is stored on the server-side. A single cookie
is "stored" (it's a temporary cookie) on the client computer, to hold
the session ID. IIRC the session ID is unique for each session, at
least as long as the server is not restarted.

ASP.Net can use different session-stores:
* InProc or "in memory" (the default setting), where the session is
kept in webserver memory. By default this has a sliding timeout of 20
minutes: if no request way done for this session in the last 20
minutes, the information is removed from the server.
* StateServer: a different process (maybe on a different machine) keeps
the information in memory. You can only store serializeble objects this
way. Works well with webgardens or farms.
* SqlServer: the information is stored in a special database in
SqlServer. Also only for serializable objects and good for gardens and
farms.

Hans Kesting