Search code examples
web-servicesencryptionhttpspasswordsplaintext

Encryption of a Password send over HTTPS

Good day,

I am very new to database/application/connection security and would like some help on a project.

Let me explain my environment :

  • I have a username A and password A being saved in a database (A) on a local machine.
  • Password A is being stored using a type of hashing algorithm with salt A.
  • I am sending the credentails (Username A and Password A) via a HTTPS SOAP Call to a webservice sitting remotely.
  • Apon receiving Username A and Password A the webservice validates those credentials to a table sitting in database (B) local to the webservice location.

My Problem : If someone gets access to database A and extracts the hashed passwords they can use a SOAP request to connect to the webservice. This means that my security is null and VOID.

I have to possible solutions :

SOLUTION 1 : Before sending password A to the webservice, I decrypt it and send it over plaintext via the Secured HTTPS connection. The webservice will then encrypt it again when validating agains the hash stored in database B.

SOLUTION 2 : Before sending password A to the webservice, I do a second encryption to that existing hash. When arriving at the webservice, it is decrypted to expose the hash which is .then validated against database B.

My Question : Is any of the 2 solutions above, best practice. If not, what would be a best practive solution for this scenario.

Kind Regards

Solution

  • Just a few notes

    • there is difference between hash (one way, non-reversible) and encryption (reversible). You cannot decrypt hashed value.
    • I will assume you are working with service credentials, not user's identity credentials

    Here I will assume you are talking bout

    SOLUTION 2 : Before sending password A to the webservice, I do a second encryption to that existing hash. When arriving at the webservice, it is decrypted to expose the hash which is .then validated against database B.

    The hash effectively becomes a password, it doesn't add any security to the solution

    SOLUTION 1 : Before sending password A to the webservice, I decrypt it and send it over plaintext via the Secured HTTPS connection.

    There are several standards to authenticate the SOAP WS client, using simple credentials it's WS-UsernameToken. Effectively the client sends its username and password plain, relying HTTPS to handle the channel security.

    My Problem : If someone gets access to database A and extracts the hashed passwords they can use a SOAP request to connect to the webservice

    One the password is hashed, you won't be able to decrypt it, but as well you cannot use the hashed value as a password. Otherwise you will get the "solution 2" and you are using the hash as a password.

    Indeed, this is generally a problem. You may search other questions, how to store service credentials locally. The whole problem is - you need to store the credentials. In my experience the best you can do at least make retrieval somewhat harder, e.g. encrypt the service passwords so they are not stored plain in the database or config files. At the end the client application needs the encryption key somewhere to decrypt the credentials. The key needs to be protected as well.

    If you are dealing with user credentials (user identities), do not store the user passwords at all at the client side, there are other ways how to authorize user actions (access token, jwt token, ..)