#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    80
    Rep Power
    5

    Xml web services secure


    At the moment, I connect to a remote database with mysql to retrieve data - this is insecure as there is no encryption.

    So, I have 2 options, I could install call a PHP page, which would serve up XML or I could cURL a page and retrieve the page output.

    How can I secure that connection - does it have to use https and also some kind of password check?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,911
    Rep Power
    1045
    Hi,

    first decide what you wanna do. A simple remote database connection? A webservice? Which protocol? This is independent from the security aspect. It depends on what you want and need.

    Either way, yes, you'll need TLS/SSL. For authentication, there are different solutions. A secure way is to use TLS client certificates, which fits nicely into the general TLS setup. On the low end, there's the classical password-based authentication. If you use the latter, make sure to hash the password with a strong algorithm like bcrypt. Do not run around with plaintext passwords or MD5 hashes or something like that.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    80
    Rep Power
    5
    Originally Posted by Jacques1
    Hi,

    first decide what you wanna do. A simple remote database connection? A webservice? Which protocol? This is independent from the security aspect. It depends on what you want and need.

    Either way, yes, you'll need TLS/SSL. For authentication, there are different solutions. A secure way is to use TLS client certificates, which fits nicely into the general TLS setup. On the low end, there's the classical password-based authentication. If you use the latter, make sure to hash the password with a strong algorithm like bcrypt. Do not run around with plaintext passwords or MD5 hashes or something like that.
    I would like to use cURL with either retrieveing a simple HTML page or an XML file.
    I don't think I can do a handshake as I do not have access to the webserver as it is on a host service
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,911
    Rep Power
    1045
    Don't reinvent the wheel. Use a standard protocol like XML-RPC. Smart people have already solved the problem of exchanging data, so there's no need to waste time with low-level cURL stuff and XML parsing.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    80
    Rep Power
    5
    Originally Posted by Jacques1
    Don't reinvent the wheel. Use a standard protocol like XML-RPC. Smart people have already solved the problem of exchanging data, so there's no need to waste time with low-level cURL stuff and XML parsing.
    If I hash a password and send it across via SSL then couldn't someone intercept the hash anyway? especially if it's passed in the POST of the url?
    whether i send a hash or a plain text is the same as an attacker can just intercept it.
    the receiving server needs to handshake with the client somehow

    or do I hash it on the client and only store the hash not the real password?
    but the server will have to hash the password at some point to compare the 2 hashed passwords.
    Last edited by qwertyjjj; November 3rd, 2013 at 02:33 PM.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,911
    Rep Power
    1045
    No, no. The client has the password. The server only has a hash of the password so that even the exposure of the server data won't reveal the actual password. To authenticate, the client sends the password (which is TLS-encrypted during transportation), and the server hashes it and compares the result with the stored hash.

    You should definitely read up on how to implement password authentication so that you don't get that wrong.

    Using the new password API of PHP 5.5 and the password n\<v~<$Wbc$DLmͪK&, the authentication procedure looks something like this:

    PHP Code:
    <?php

    // stored hash of the password (bcrypt algorithm with a cost factor of 10)
    $api_token '$2y$10$wkYFjwt1XETwTbKqudoFquiK5Sl0PeDJ5RC.EaP1t3GrjmQ38rxZa';

    // check password
    if (isset($_POST['api_token']) && password_verify($_POST['api_token'], $api_token)) {
        echo 
    'Welcome!';
    } else {
        echo 
    'Wrong password!';
    }
    Since your hoster probably doesn't have PHP 5.5 yet, you'll need a third-party library like password_compat. It will emulate the hash functions above in legacy versions of PHP (but you'll need at least PHP 5.3.7).
    Last edited by Jacques1; November 3rd, 2013 at 04:36 PM.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    80
    Rep Power
    5
    Originally Posted by Jacques1
    No, no. The client has the password. The server only has a hash of the password so that even the exposure of the server data won't reveal the actual password. To authenticate, the client sends the password (which is TLS-encrypted during transportation), and the server hashes it and compares the result with the stored hash.

    You should definitely read up on how to implement password authentication so that you don't get that wrong.

    Using the new password API of PHP 5.5 and the password n\<v~<$Wbc$DLmͪK&, the authentication procedure looks something like this:

    PHP Code:
    <?php

    // stored hash of the password (bcrypt algorithm with a cost factor of 10)
    $api_token '$2y$10$wkYFjwt1XETwTbKqudoFquiK5Sl0PeDJ5RC.EaP1t3GrjmQ38rxZa';

    // check password
    if (isset($_POST['api_token']) && password_verify($_POST['api_token'], $api_token)) {
        echo 
    'Welcome!';
    } else {
        echo 
    'Wrong password!';
    }
    Since your hoster probably doesn't have PHP 5.5 yet, you'll need a third-party library like password_compat. It will emulate the hash functions above in legacy versions of PHP (but you'll need at least PHP 5.3.7).
    Looks good.
    The client is a server as well though so techniclaly a hacker could access the client and get the password?
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,911
    Rep Power
    1045
    Knowing the password is how the client proves its identity. There's nothing you can do about that.

    What you can do, however, is make the main server only accept requests from the IP of the intermediate server. This adds another authentication factor so that stealing the password alone isn't enough.

IMN logo majestic logo threadwatch logo seochat tools logo