you kept me thinking about this all day. What I suggested early was basically what you're thinking on doing, but I believe I now have some improvements.
1- The client communicates with a web-service requesting access 2- The server initiates a session, returning a request for validation (a string, a char, anything, only to say it's expecting for something) 3- The Client converts the current timestamp (like: Date.getMilli()) to a String, substitutes de milli, seconds and minutes digits with 0 (and the result is the current hour) and encrypts that key using SHA (or whatever one-way algorithm you choose) 4- The server does the same, and compares the result with the returned encrypted string. If they are the same, the session changes it's state to validated, allowing access to the web-services. If not, the session is terminated. This way you would get a semi-random String, only the encrypted version would be transmited and that String would be valid for one hour. Plus no hard coded key would be needed. I believe your need isn't for a full security mechanism, only something that prevents other vendors of using your web-service. Let me know what you think Frederico On Fri, 21 Dec 2007 21:47:20 -0000, João <[EMAIL PROTECTED]> wrote: > We are dealing with one huge client that provides technological > solutions based on SAP and .NET. They hired us for developing the > presentation layer, and it's damn difficult to make them change the > way they work, even if we know that they aren't making the best > decisions. > Anyway, i don't see how changing from web-services to flash remoting > would solve the problem. It's still a SOA architecture, with exposed > services, and the only difference is that the data is transferred in > binary (but not difficult to be interpreted - even more now with the > release of the AMF specification). > PKI seems to be the solution, but our expertise is not security. Also, > i have doubts on: > > 1- Does Flex has tools to deal with this kind of things? > 2- From what i recall, PKI needs a private key on both sides. This > would mean that the key was hard-coded on the Flash Client. > > I am thinking on something simple like: > > 1- The client communicates with a web-service requesting access > 2- The server initiates a session, returning a random string > 3- The client runs some kind of algorithm, made by us, to "encrypt" > the string, and returns it. Or, it uses a known algorithm that > encrypts the string using a keyword. > 4- The server runs the same algorithm on the string, and compares the > result with the returned encrypted string. If they are the same, the > session changes it's state to validated, allowing access to the > web-services. If not, the session is terminated. > > This is far from being perfect, and far from being secure because the > client could be decompiled and the "encryption" algorithm could be > easily broken, but at least it would be a bit more reliable than > having the web-service completely exposed. We are dealing here with > probabilities... > > What do you think? > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > >
