I have a situation where my C# Application need to communicate with my Php website (yes I have sources for both of them and I can edit without any problem).
I have to send some data from my C# app to PHP website to update some data in the database.
The biggest problem, is that this webpage where I should send data is protected with an authentication mechanism.
I don’t have any problem in editing this mechanism, however I need a secure way to send (eventually) username/password and the data required. What’s a secure way to do this? I don’t think sending username and password as plain text is a good idea, so I was looking for suggestion.
SSL + username in request (optional; but if you will eventually have multiple clients that you have to differentiate, it’s probably necessary) + SIGN the request with the password that corresponds to that username and is known on both ends.
Note that “signing” does not mean sending the password over the network. It means hashing a part or the complete request, then including that value in clear-text request. The recipient (PHP) would then do the same, then compare hashes. Signing ensures that only the client that knows the password can make the request; invalid requests should be rejected.
Encrypting with SSL certificate (if you have it on php side) helps only to hide the data from curious eyes. Signing is what verifies the client.
Make an anon php handler (make an exception in your auth rules), and this should work.
EDIT: EXAMPLE
Let’s say that you want your C# app to pass the following data to your PHP app:
Let’s say that you decided for this client to be recognized by username
"uid"and password"pwd".Signing data relates to hashing it. Hashing means encrypting it in such a way that it cannot possibly be decrypted (well, kind of; I simplified that; look it up). There are several hashing algorithms, and you’ll have to find a library to do it, for both C# and PHP. The most popular (I guess) are “sha1” and “md5”. I don’t even know the core difference, neither do I care. All I know is that different values get to be “translated” to fairly unique hash values. For example – although, off-topic, it’s common to store hash values of passwords in the database, and compare hashes, rather then be comparing clear-text password, during user validation.
In .NET, you can sha1/md5 hash string values by method
System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile. I know very little about PHP, but I’m sure you’ll find a library that does exactly the same.So, given the above example data, and above credentials, you could do the following:
1 – Find the place for the username (so, that you know who’s sending the request; again, if you anticipate having multiple clients; otherwise, in your case, you can skip this). For example:
Instead of this, you can do various things: define your own format (xml, json, delimited, binary), or if the data is short and you’re using HTTP GET, then encode it and have data and username be two different query pairs, or HTTP-POST them as post arguments.
2 – The above data is still clear-text. Now, signing. This can be done in multiple ways, but I’ll make it simple: add the clear-text password to this data (doesn’t matter where, as long that location is known to both parties); e.g.
Notice how I don’t even care that I just broke the xml-format. You could have placed it as an attribute/element – anywhere. That’s still clear-text.
3 – Hash it. Again, it doesn’t matter which hash algorithm you use, as long it’s known to both parties. For this example, I’ll use one of many online hash generators that are out there:
http://www.joeswebtools.com/security/sha1-hash-generator/
When I paste the complete text (including the password) from #2 over on that site, I’ll get this (go ahead and you also try):
So, given the exact same text input (case sensitive, encoding sensitive) hashing will always produce the exact same result. SHA1/MD5 are fixed-length algorithms (36 and 40 chars, I believe; I’m lazy to verify that right now).
4 – Now, add this hashed value to the original request data from #1 (any spot, as long as it’s known to both parties); for example:
or
The important thing is that PHP needs to know where to find the hash value and how to parse it out.
5 – Send the text from #4 from C# to PHP. What we did so far was only signing to be certain that the sender is who you think it is. It is not encrypting: there are ways to intercept this request and read it (however, nobody can decipher the password). It is up to you if you also want to encrypt it (do you care if somebody can read this?). There are bunch of ways to encrypt data as well, but using SSL certificate on PHP side (and then sending the request over HTTPS) is probably your simplest, cheapest, the least error-prone/risky method, and – I dare say – the best. If you choose not to encrypt, C# sends the data as it is in #4 above.
6 – PHP receives the data. If you used SSL, I’m pretty sure you won’t have to do anything to decrypt it (it will be done by PHP for you) – so, in either case, your PHP script will receive the data in clear-text.
7 – PHP knows about this format. If parsing this request fails for any reason, ignore the request. I said this assuming that the code running on both ends has no bugs related to creating the request and reading it.
8 – PHP removes the the signature from the request data (while keeping it in memory), resulting in this:
9 – PHP reads the username from the request (“uid”). It then looks up the password associated with it (“pwd”). It then does the exact same things that the C# client did in steps #2 and #3, producing the following for itself:
10 – The signature form #9 has GOT TO be the same as the signature provided in the request (from #8) – case-sensitive! If it’s not, somebody is trying to pretend they are the uid client.
11 – Now that PHP is certain that the client is its friendly C# app (let’s call this “the trust”), it can process the request.
There may be more elegant ways, possibly simpler. Also, where in step #2 I told you add the password, you could instead add the HASH of the password (assuming your PHP doesn’t even have the clear-text password, but it has that same HASH instead).
No, this method cannot be faked. It is impossible for me to – without knowing the password – to send you some maliciously-formed request pretending to be your C# client. However, replaying IS possible. Replaying means: intercepting the request, reading it, and resending it as it. This is mostly done to steal information without neither of the 2 parties knowing. There are ways to prevent replaying also, but it’s out of scope, and you’re not doing anything for the military, are you?
Now, I want an A for all this info and my time 🙂