June 18, 2014 at 1:11 am
hi,
i have a C# form as the client that sends login credentials (user / password) to SQL server. Im using SQL server 2008 r2 developer. The client encrypts user / password with Encryption provided with .net framework this includes a "salt" value. When SQL receives these credentials it should decrypt user/password and authenticate user.
my application is a windows application and not a web application, however, when create an authentication code or script it should fit with web and windows apps
1. How do write a script to authenticate user?
2. How should i write an industry level script to authenticate user?
3. Is it an industry standard to encrypt both user name and password, would just password encryption be enough?
4. could any one here, give me a industry level sample on how to encrypt the user/password from the client side?
thanks
June 18, 2014 at 4:02 am
Use Windows Authentication, and forget about "sending" user/password to SQL Server...
June 18, 2014 at 4:11 am
June 18, 2014 at 4:44 am
Assume the application has web and windows versions, so user / password send is a must if so how do i write a script in the database to validate users and when i need to register new user, i have to add the user from the client form. So how do i save user and password hashed to the db?
June 18, 2014 at 7:38 am
sleekbinary01 (6/18/2014)
Assume the application has web and windows versions, so user / password send is a must if so how do i write a script in the database to validate users and when i need to register new user, i have to add the user from the client form. So how do i save user and password hashed to the db?
Which one is it? In your first post you said "my application is a windows application and not a web application" but now you say you have two applications. Honestly, it doesn't make a lot of difference because you don't want sql server to decrypt your password. Passwords should be hashed, which means they can't be converted to plain text again. This topic is far greater than a forum post. You need to do some research and understand what you need to do. Might even be a good idea to hire a consultant.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
June 18, 2014 at 8:04 am
first, apologies for the confusion, actually i'm a bit confused about this authentication thing. I was told that the authentication is a process that concerns about security. So the authentication process should be hidden from the client as possible and the client should receive a flag value (1= password is correct and authenticated, -1= incorrect password) and/or user name of the authenticated user. So it should be a SQL operation that should occur in the back end. So the process in detail should be, client form sends user name and hashed /encrypted password to SQL, SQL authenticates and it sends 1/-1 with the user name to the client as the return value and the output.
But when i do research that was not the case, all the threads i have seen on web, either the app is windows or web, developers do two operations:
1. the salt value of the user is searched by user name then return the salt value along with the PasswordHash to the client form / or to the business layer
2. Then use the entered password and the returned salt value to generate a PasswordHash and then compare this passwordHash with the returned passwordHash. if match password is correct if not password is incorrect.
Is this actually how developers write code to authenticate a user in a login event? If so basically the password comparison happens at the client side(either in the form or in the business layer) then wouldn't this be huge security risk by exposing the actual salt and passwordHash to the client?
thanks
June 19, 2014 at 3:45 am
I think you're mistaking what happens there. The actual comparison of the hashes is always done on the server side. An example of how a login process might work (this is specifically NTLM, but it shows the principle):
1) Client requests to login to the server.
2) Server sends the client a challenge, which is a long random number.
3) Client performs some sort of encryption operation using the challenge and the password hash it has stored internally. It sends this back to the server.
4) The server performs the same encryption operation with the challenge and the password hash, and compares the result with what the client produced. If the two match it allows the client to log in.
June 19, 2014 at 4:52 am
1. can you tell bit abou this random number, is this the SaltHash?
2. So when a login process begins there will be two calls to the SQL server, one is to get the random number and other is send of result generated by combining the random number and the password?
3. if possible could you please give me some sample code, and please dont use LINQ or LINQ to sql just plain old ad .net with SQL
thanks
June 20, 2014 at 5:43 am
When you log on to a Windows domain your login credentials are authenticated.
You can then use these credentials to connect to a SQL server instance using Windows Authentication without needing to pass the Windows login name or password provided the server hosting SQL server has access to the domain controller for the domain you have already been authenticated using.
If on the other hand your application/webservice uses its own login credentials which are authenticated seperately from Windows you will need to handle the authentication of these within the application.
You would pass the username and a salted encrypted password (There is a standard Windows API function to generate that so no need to come up with your own algorithm) to SQL server and would compare these values to the username and encrypted password stored on the database. You do not need to decrypt anything (and for a secure system cannot) just compare the encrypted versions.
Encrypt the password in the client so that you only pass secure data.
If you need to do this please read up on how to encrypt and salt passwords.
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply