The story:
I'm currently writing a web service that allows for communications to be made remotely via TCP/IP.
I first thought about signing each packet using HMAC-SHA1 with a password, appending the signature to the start of the packet and then have the server (which also knows the password) verify the packet sent.
However, this means that the server would store the passwords as-is (without hashing it), making it very dangerous indeed for anyone who gain unauthorized access to the database. Furthermore, any sensitive information (such as a 'change password' packet's new password) can be hijacked via a man-in-middle attack.
I then read about TLS/SSL and decided to use it to prevent any man-in-middle attacks.
The TL;DR:
Do I still need to sign my packets when sending it over TLS? Or can I just send my packets over as-is? I read that it is not a good idea to send plain passwords (or their hashes) over networks. As such, I'm not sure if with TLS, it's better to simply send passwords over to the server for authentication, or to sign each packet with the passwords instead of sending them over.
Aucun commentaire:
Enregistrer un commentaire