Re: [flexcoders] Re: Local storage of password
On Wednesday 05 Dec 2007, rmarples wrote: SharedObject because it's not sensitive, but for the password the salesforce.com security requirements are such that you can only store local passwords if you encrypt them SharedObject is encrypted, to all intents and purposes. requirement just isn't going to make sense, so I think I will push to just have the username saved but not the password. That would be my reaction if someone tried to introduce a feature to remember username and password in a critical app. As an aside, I wish BuzzWord would make up their minds and either always remember or always have you type it, rather than randomly switching between the two. -- Tom Chiverton Helping to dramatically administrate distributed infomediaries on: http://thefalken.livejournal.com Please note, as of 10th December 2007 the registered office address of Halliwells LLP will be at 3 Hardman Square, Spinningfields, Manchester, M3 3EB This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Local storage of password
- Original Message - From: Jeffry Houser [EMAIL PROTECTED] To: flexcoders@yahoogroups.com Sent: Wednesday, December 05, 2007 2:22 PM Subject: Re: [flexcoders] Re: Local storage of password That'd be too easy. He stated that he needs to prevent the user from re-entering the password upon their next use of the application. And it would. User logs in with password. Server passes back hashed version of user logon+password as a key. Server remembers this key. Client saves this key locally and passes it through on future accesses. Server looks up this key to check it's one it handed out previously. Still open to abuse though, even if username/password values are still secret. Paul Tom Chiverton wrote: On Tuesday 04 Dec 2007, rmarples wrote: requirement that I can't store the encryption key in the source code as a string literal. I'm wondering if you or anybody else has ideas on how to handle this? Sorry to jump in mid-thread, but if you just need to check a password is the same as one entered in the past, just store and compare against a hash. -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot-com-it.com My Podcast: http://www.theflexshow.com My Blog: http://www.jeffryhouser.com -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
RE: [flexcoders] Re: Local storage of password
You could store an access key (hashed, encrypted, etc) that you use to lookup the data's encryption key from a database or off the server and have the server end handle the security. _ From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of rmarples Sent: Tuesday, December 04, 2007 5:39 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Local storage of password Hi Jeff - Thanks for the response. By the way, great podcast :) I will look into the encryption libraries that both you and William mentioned but I'm wondering how they handle the encryption key. I have a requirement that I can't store the encryption key in the source code as a string literal. I'm wondering if you or anybody else has ideas on how to handle this? Ryan --- In [EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com, Jeffry Houser [EMAIL PROTECTED] wrote: Yes, MD5 is a hashing algorithm and it is unlikely you'd be able to take a hash and get the original text (in a timely / efficient manner). There are a few AS3 encryption projects. ASCrypt3: ascrypt3.riaforge.com and Crypto http://crypto. http://crypto.hurlant.com/ hurlant.com/ Both of them have 2-way encryption algorithms you could use. AES perhaps? That said, I worry about the security implications of storing this type of authentication between application uses. rmarples wrote: Tracy - Isn't MD5 a hashing algorithm? Meaning I can only encrypt, not decrypt? I don't think this would work for this scenario would it? Ryan --- In [EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com mailto:flexcoders%40yahoogroups.com, Tracy Spratt tspratt@ wrote: There is an MD5 library available for AS3 that I have used. Tracy From: [EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com mailto:flexcoders%40yahoogroups.com [mailto:[EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com mailto:flexcoders%40yahoogroups.com] On Behalf Of rmarples Sent: Monday, December 03, 2007 4:59 PM To: [EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com mailto:flexcoders%40yahoogroups.com Subject: [flexcoders] Local storage of password I have a requirement to take credentials used for an external web service and cache them locally so that the user need not re-type their password each time they run the app. I can easily store these credentials in a SharedObject (cookie) but I don't want to store the password in plain-text here. Does anybody have any recommendations on an ecrypt/decrypt mechanism I can use for this? Also I have a requirement that any key used to encrypt can not be stored in the source code as a string literal. Ryan -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot- http://www.dot-com-it.com com-it.com My Podcast: http://www.theflexs http://www.theflexshow.com how.com My Blog: http://www.jeffryho http://www.jeffryhouser.com user.com
Re: [flexcoders] Re: Local storage of password
That'd be too easy. He stated that he needs to prevent the user from re-entering the password upon their next use of the application. Tom Chiverton wrote: On Tuesday 04 Dec 2007, rmarples wrote: requirement that I can't store the encryption key in the source code as a string literal. I'm wondering if you or anybody else has ideas on how to handle this? Sorry to jump in mid-thread, but if you just need to check a password is the same as one entered in the past, just store and compare against a hash. -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot-com-it.com My Podcast: http://www.theflexshow.com My Blog: http://www.jeffryhouser.com -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Local storage of password
I can't claim to have invented the technique. It's even better if a new hash is passed back every time and replaces the old one (it means that any copies of the old hash will no longer work). Paul - Original Message - From: Jeffry Houser [EMAIL PROTECTED] To: flexcoders@yahoogroups.com Sent: Wednesday, December 05, 2007 4:40 PM Subject: Re: [flexcoders] Re: Local storage of password I think that's a simple (yet elegant) solution. I wish I thought of it. Paul Andrews wrote: - Original Message - From: Jeffry Houser [EMAIL PROTECTED] To: flexcoders@yahoogroups.com Sent: Wednesday, December 05, 2007 2:22 PM Subject: Re: [flexcoders] Re: Local storage of password That'd be too easy. He stated that he needs to prevent the user from re-entering the password upon their next use of the application. And it would. User logs in with password. Server passes back hashed version of user logon+password as a key. Server remembers this key. Client saves this key locally and passes it through on future accesses. Server looks up this key to check it's one it handed out previously. Still open to abuse though, even if username/password values are still secret. Paul -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot-com-it.com My Podcast: http://www.theflexshow.com My Blog: http://www.jeffryhouser.com -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Local storage of password
I think that's a simple (yet elegant) solution. I wish I thought of it. Paul Andrews wrote: - Original Message - From: Jeffry Houser [EMAIL PROTECTED] To: flexcoders@yahoogroups.com Sent: Wednesday, December 05, 2007 2:22 PM Subject: Re: [flexcoders] Re: Local storage of password That'd be too easy. He stated that he needs to prevent the user from re-entering the password upon their next use of the application. And it would. User logs in with password. Server passes back hashed version of user logon+password as a key. Server remembers this key. Client saves this key locally and passes it through on future accesses. Server looks up this key to check it's one it handed out previously. Still open to abuse though, even if username/password values are still secret. Paul -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot-com-it.com My Podcast: http://www.theflexshow.com My Blog: http://www.jeffryhouser.com -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
RE: [flexcoders] Re: Local storage of password
That'd be too easy. He stated that he needs to prevent the user from re-entering the password upon their next use of the application. So compare hashes again... ? Tom Please note, as of 10th December 2007 the registered office address of Halliwells LLP will be at 3 Hardman Square, Spinningfields, Manchester, M3 3EB This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.
Re: [flexcoders] Re: Local storage of password
- Original Message - From: rmarples [EMAIL PROTECTED] To: flexcoders@yahoogroups.com Sent: Wednesday, December 05, 2007 11:30 PM Subject: [flexcoders] Re: Local storage of password Well the thing about this application is, I don't own the server. I'm using a 3rd party Internet web service (salesforce.com in this case). So I can't change the way the server authenticates people - actually it does so in a very rational way anyway. The requirement was simply to save the user the pain of having to type in their username and password every single time they hit my app since the browser auto-fill feature doesn't work for Flex apps. It's easy to store the username because I can throw it into a SharedObject because it's not sensitive, but for the password the salesforce.com security requirements are such that you can only store local passwords if you encrypt them and you can't store the encryption key in the code. Anyway, thanks for everybody's input but it looking like this requirement just isn't going to make sense, so I think I will push to just have the username saved but not the password. Why is typing in a password such a big deal? I think most users expect to have to sign in to an application, though some companies operate a single sign-on architecture where that is not required. What is the case here? We've focussed on one small aspect of security, what is the bigger picture? Paul Ryan snip
Re: [flexcoders] Re: Local storage of password
On Tuesday 04 Dec 2007, rmarples wrote: requirement that I can't store the encryption key in the source code as a string literal. I'm wondering if you or anybody else has ideas on how to handle this? Sorry to jump in mid-thread, but if you just need to check a password is the same as one entered in the past, just store and compare against a hash. -- Tom Chiverton Helping to biannually accelerate seamless action-items on: http://thefalken.livejournal.com Please note, as of 10th December 2007 the registered office address of Halliwells LLP will be at 3 Hardman Square, Spinningfields, Manchester, M3 3EB This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Local storage of password
Yes, MD5 is a hashing algorithm and it is unlikely you'd be able to take a hash and get the original text (in a timely / efficient manner). There are a few AS3 encryption projects. ASCrypt3: ascrypt3.riaforge.com and Crypto http://crypto.hurlant.com/ Both of them have 2-way encryption algorithms you could use. AES perhaps? That said, I worry about the security implications of storing this type of authentication between application uses. rmarples wrote: Tracy - Isn't MD5 a hashing algorithm? Meaning I can only encrypt, not decrypt? I don't think this would work for this scenario would it? Ryan --- In flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com, Tracy Spratt [EMAIL PROTECTED] wrote: There is an MD5 library available for AS3 that I have used. Tracy From: flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com [mailto:flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com] On Behalf Of rmarples Sent: Monday, December 03, 2007 4:59 PM To: flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com Subject: [flexcoders] Local storage of password I have a requirement to take credentials used for an external web service and cache them locally so that the user need not re-type their password each time they run the app. I can easily store these credentials in a SharedObject (cookie) but I don't want to store the password in plain-text here. Does anybody have any recommendations on an ecrypt/decrypt mechanism I can use for this? Also I have a requirement that any key used to encrypt can not be stored in the source code as a string literal. Ryan -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot-com-it.com My Podcast: http://www.theflexshow.com My Blog: http://www.jeffryhouser.com
Re: [flexcoders] Re: Local storage of password
Is this a Flex app on a web page? I am not sure about an AIR project but with Flex and webservices, you still have the benefit of cookies and sessions. I am working a project that uses a standard web page login that gets the user logged in and the session started. After that it moves to the Flex app. The user doesn't have to log in again unless the session expires which is determined by the server. Subsequent calls to webservices maintain that information. I am using Django (Python) but it should be similar for other backends. Are your webservices within the same domain? If not, are you able to pass a token for authentication? Michael Jeffry Houser wrote: Yes, MD5 is a hashing algorithm and it is unlikely you'd be able to take a hash and get the original text (in a timely / efficient manner). There are a few AS3 encryption projects. ASCrypt3: ascrypt3.riaforge.com and Crypto http://crypto.hurlant.com/ http://crypto.hurlant.com/ Both of them have 2-way encryption algorithms you could use. AES perhaps? That said, I worry about the security implications of storing this type of authentication between application uses. rmarples wrote: Tracy - Isn't MD5 a hashing algorithm? Meaning I can only encrypt, not decrypt? I don't think this would work for this scenario would it? Ryan --- In flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com mailto:flexcoders%40yahoogroups.com, Tracy Spratt [EMAIL PROTECTED] wrote: There is an MD5 library available for AS3 that I have used. Tracy From: flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com mailto:flexcoders%40yahoogroups.com [mailto:flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com mailto:flexcoders%40yahoogroups.com] On Behalf Of rmarples Sent: Monday, December 03, 2007 4:59 PM To: flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com mailto:flexcoders%40yahoogroups.com Subject: [flexcoders] Local storage of password I have a requirement to take credentials used for an external web service and cache them locally so that the user need not re-type their password each time they run the app. I can easily store these credentials in a SharedObject (cookie) but I don't want to store the password in plain-text here. Does anybody have any recommendations on an ecrypt/decrypt mechanism I can use for this? Also I have a requirement that any key used to encrypt can not be stored in the source code as a string literal. Ryan -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: http://www.dot-com-it.com http://www.dot-com-it.com My Podcast: http://www.theflexshow.com http://www.theflexshow.com My Blog: http://www.jeffryhouser.com http://www.jeffryhouser.com