It's effectively wanting to have a browser cookie that remembers your session. It's clearly open to all kinds of abuse, encrypted or not. I'd make darn sure that whoever raised this as a requirement was well aware of the dangers - if only to cover my own back.
Even with this requirement not to have to log on between sessions, there's no need to keep the username or password locally. When the user logs on, the user provides a login name and password to the webservice - as per normal. The webservice passes back a session key. This key should be encrypted but should not have the username or password in it. I would suggest a session identifier of some kind (that is mapped on the server back to the username), a sequence id(that changes on every exchange with the server - it could be a timestamp), plus anything else you can think of - checksum, etc.. This key cannot be interpreted by a third party as belonging to a particular user, nor does it hold password information. Whenever the client requests something of the server it passes the key, but no login information (as well as other perameters relating to the request). The server decodes the key and looks up the session information. It can associate the key with a specific user, it also expects the key to have the same key sequence id that was sent the last time around. If the key sequence is invalid (perhaps the client died before the key could be saved on the client, or perhaps the message was lost), the server can request that the client re-submits login information. It will expect the same user to re-login, or the session will be invalidated. Once the session is verified, the server can return the information requested to the client. it also passes back a new (different) session key to replace the old one. The whole thing repeats. The server can time out keys that aren't used and it prevents 'stolen' keys from having any value once the genuine client has initiated a new transfer. The user is at liberty to login on another machine at any time - it either invalidates the session key associated with the other machine, or continues in that session context. You can also time-out sessions across any period you like. If a user logs out on the client, the local session key should be removed on both client and server. I hope that explains the idea - it's baton passing between client and server and the baton changes on every exchange. The server knows what baton to expect for the next exchange and if anything gets out of kilter, it just rerequests that the client logs in again. The username and password are never stored permamently on the client. Hope that helps. Don't store the password! Paul ----- Original Message ----- From: "Jeffry Houser" <[EMAIL PROTECTED]> To: <flexcoders@yahoogroups.com> Sent: Wednesday, December 05, 2007 2:31 AM Subject: Re: SPAM-LOW: [flexcoders] Re: Local storage of password > > ( Thanks for listening; glad you enjoy ) > > You are working on an application with very odd security requirements. > I almost think you'd be better off with a completely open web service. > > You might store the encryption key in a database or server side / non > web accessible XML and use some form of remoting (or at least SSL) to > pass it back and forth to the Flex client. > > > > rmarples wrote: >> >> >> Hi Jeff - Thanks for the response. By the way, great podcast :) >> >> I will look into the encryption libraries that both you and William >> mentioned but I'm >> wondering how they handle the encryption key. I have a requirement that >> I can't store the >> encryption key in the source code as a string literal. I'm wondering if >> you or anybody else >> has ideas on how to handle this? >> >> Ryan >> >> --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>, >> Jeffry Houser <[EMAIL PROTECTED]> wrote: >> > >> > >> > Yes, MD5 is a hashing algorithm and it is unlikely you'd be able to >> > take a hash and get the original text (in a timely / efficient >> manner). >> > >> > There are a few AS3 encryption projects. ASCrypt3: >> > ascrypt3.riaforge.com and Crypto http://crypto.hurlant.com/ >> <http://crypto.hurlant.com/> >> > >> > Both of them have 2-way encryption algorithms you could use. AES >> > perhaps? That said, I worry about the security implications of storing >> > this type of authentication between application uses. >> > >> > rmarples wrote: >> > > >> > > >> > > Tracy - Isn't MD5 a hashing algorithm? Meaning I can only encrypt, >> not >> > > decrypt? I don't >> > > think this would work for this scenario would it? >> > > >> > > Ryan >> > > >> > > --- In flexcoders@yahoogroups.com >> <mailto:flexcoders%40yahoogroups.com> >> <mailto:flexcoders%40yahoogroups.com>, >> > > "Tracy Spratt" <tspratt@> wrote: >> > > > >> > > > There is an MD5 library available for AS3 that I have used. >> > > > >> > > > >> > > > >> > > > Tracy >> > > > >> > > > >> > > > >> > > > ________________________________ >> > > > >> > > > From: flexcoders@yahoogroups.com >> <mailto:flexcoders%40yahoogroups.com> >> > > <mailto:flexcoders%40yahoogroups.com> >> [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> >> > > <mailto:flexcoders%40yahoogroups.com>] On >> > > > Behalf Of rmarples >> > > > Sent: Monday, December 03, 2007 4:59 PM >> > > > To: flexcoders@yahoogroups.com >> <mailto:flexcoders%40yahoogroups.com> >> <mailto:flexcoders%40yahoogroups.com> >> > > > Subject: [flexcoders] Local storage of password >> > > > >> > > > >> > > > >> > > > I have a requirement to take credentials used for an external web >> > > > service and cache them >> > > > locally so that the user need not re-type their password each >> time they >> > > > run the app. I can >> > > > easily store these credentials in a SharedObject (cookie) but I >> don't >> > > > want to store the >> > > > password in plain-text here. Does anybody have any >> recommendations on an >> > > > ecrypt/decrypt >> > > > mechanism I can use for this? Also I have a requirement that any >> key >> > > > used to encrypt can not >> > > > be stored in the source code as a string literal. >> > > > >> > > > Ryan >> > > > >> > > >> > > >> > >> > -- >> > Jeffry Houser, Technical Entrepreneur, Software Developer, Author, >> > Recording Engineer >> > AIM: Reboog711 | Phone: 1-203-379-0773 >> > -- >> > My Company: <http://www.dot-com-it.com <http://www.dot-com-it.com>> >> > My Podcast: <http://www.theflexshow.com <http://www.theflexshow.com>> >> > My Blog: <http://www.jeffryhouser.com <http://www.jeffryhouser.com>> >> > >> >> > > -- > Jeffry Houser, Technical Entrepreneur, Software Developer, Author, > Recording Engineer > AIM: Reboog711 | Phone: 1-203-379-0773 > -- > My Company: <http://www.dot-com-it.com> > My Podcast: <http://www.theflexshow.com> > My Blog: <http://www.jeffryhouser.com> > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > >
