asp.net - Automatic Website Login, Long URLs, Encryption -

-

i'm building secure payment portal.

we have 2 applications using this. 1 web application, other desktop app. both of these require users login/authenticate, same credentials can used either application.

i want build automatic login mechanism fill in various login/order details , able call either app mentioned above. i've been thinking best way pass information encrypted through url. ie https://mysite.com/takepayment.aspx?id=gt2jkjh3....

since don't want integrate payment processing tightly desktop app reduce our pci scope, decided have open browser central, secured payment page through simple shell execute full url causing default browser open page.

originally using aes encryption, being re-examined prefer not having give out key end user (aes symmetric, symmetric encryption = both parties need private key, why bother encrypting since we're going distributing app?) i'm looking @ switching on use public key encryption built in rsa routines within .net

after coding rsa portion noticed examples on net used 1024bits key-length, went , have our portal working public key encryption, urls generated much longer when using aes made me start researching max limits urls are. http://www.boutell.com/newfaq/misc/urllength.html says ie limiting browser @ 2048 characters in path portion. initial tests rsa encryption show urls around 1400 chars long.

my questions boil down this:

1) there better way passing information desktop app website i'm not thinking of? i'd prefer easy use web page desktop, hence current solution.

2) 1024 bit rsa keys necessary? or overkill this? shorter key mean shorter encrypted text right?

3) there other unforeseen problems urls in 1200-1400 character range? proxies? firewalls? web-accelerators?

thanks

update 12/11/2011: come find out, method ended going here ended biting in ass (or rather found out today, though problem sporadic , difficult 1 track down..)

the plain text token encrypted rather small, hundred bytes or so. resulted in test urls being approximately 1400 bytes long. through feature creep we've been required add more data token, , average url length jumped 1700-1800 in length.

once length of our plain text hits 173 characters long , above however, url length jumps again, time 2080+ or so, causes problems ie. after investigation in how rsa encryption works, should have been totally expected, oversight on part originally.

we're using 1024 bit rsa encryption, means maximum data block size can encrypted 1024/8 - 24 = 86 bytes, every 86 bytes needs "chopped up" , encrypted separately, @ 86 * 2 = 172, we're encrypting 2 blocks, above we're encrypting three, four, five, etc. passing 172, our cipher text length grew long url's long.. i'm messing explanation little here, that's general gist of it..

it seems we'll looking @ designing better way work, can expected they'll want "more features" added in future , our token grow ever larger...

assuming logged in database can not pass data , forth using ssl web services. in case of being able go desktop app web app make rpc call website generate random key, pass user , call web page using that. make key valid 10 seconds meaning should key captured , broken have become invalid?

i have little experience kind of thing i'm expecting many holes poked in idea.


Comments

Post a Comment

Popular posts from this blog

java - SNMP4J General Variable Binding Error -

-
i trying use snmp4j snmp bulkget. when ever use snmp4j make call returned responseevent error says "general variable binding error" , data returned equal null. to debug: print out, console, exact oid , version number using in snmp4j. use printed out data snmpwalk on command line. valid results. know sending snmp4j correct pdu correct oid, version number, max repititions, etc. i have used snmp4j , code wrote succesffuly monitor other devices years. don't know different time. leaving me stumped. why "general variable binding error?" causes error? ideas debug? can reproduced? if so, first action should using wireshark or microsoft network monitor capture network packets. my guess agent gives generr response, not surprising, http://www.ietf.org/rfc/rfc1157.txt
Read more

windows - Python Service Installation - "Could not find PythonClass entry" -

-
i working on building python service. inducing error, not sure inducing it. ps c:\...> python .\file.py debug debugging service myservice - press ctrl+c stop. error 0xc00000f4 - not find service's pythonclass entry in registry error 1814 - specified resource name cannot found in image file. error 0xc0000080 - not locate module name in python class string (ie, no '.') this error coming pythonservicemessages.mc in pythonwin32. it turns out error result caused exception being thrown , python script dying off.
Read more

Determine if a XmlNode is empty or null in C#? -

-
the following code takes xmlnode data type , populates dataset object xmlnode content. write dataset's content file. public void populatedataset(xmlnode node) { xmlnodereader reader = new xmlnodereader(node); dataset ds = new dataset(); ds.readxml(reader); system.guid guid = system.guid.newguid(); string name = string.format("{0}{1}_{2}.xml", utility.xmloutputpath, utility.xmloutputfilename, guid.tostring()); //need write "node empty" file if xmlnode object empty of null ds.writexml(name, xmlwritemode.ignoreschema); } the problem encountered 1 scenario not write content file. how determine if xmlnode object null or empty? you can check if node parameter null or has innertext or innerxml properties null or empty, when enter method before creating xmlnodereader .
Read more