Board index » delphi » pki

2006-04-26 03:08:19 AM
delphi24
I have a Delphi7/Intraweb web site with user/password login.
User names and passwords are stored in a database. Now I need to add more security validating users with pki. I have no clue about how to do it with intraweb. Is there any component to be added to the forms or something?
 

On 25 Apr 2006 12:08:19 -0700, "Hobbito" <XXXX@XXXXX.COM>writes:
Normally you would run a checksum on these text fields and store that. An MD5() function is good for
this type of thing.
So it the user enters "John Smith" "Secret Password" you can MD5(username+pw) to produce something
like E422F37DA...322132 which is a 32 character string. Now when the user logs in you need to check
to see if he is a valid user so you do something like:
select count(*) from UserTable where UserNamePw=:EnteredValue
If the user has entered the correct UserName/Pw combination, the query will return 1. Otherwise it
returns zero. You never want to return actual rows from the UserTable which is why I used Count(*).
You can also MD5 the user's email address and store that in the table rather than the raw
unprotected email address. So if the user loses his password, you prompt him to enter the User Name
and email Address and if an MD5 of those fields match the MD5 of those fields that is stored in the
table, you take the email address that he just entered (still in RAM), and email him a link to reset
the pw. The link should expire in 24 hours.
So you don't really need to use encryption on these fields and never have to worry that someone will
discover the pw because MD5 is a hash, you can not decrypt it. There are plenty of free MD5 functions
out there for Delphi. Just google it.
Barry
-----------------------------------
e-mail: XXXX@XXXXX.COM
web page: www.grebarsys.com
PrintDAT! - Make your grids and tables printable in just 10 seconds & 1 line of code
SuperFastDistinct! - 5x, 10x, 100x faster than SQL's Select Distinct ...
 

Thanks for your answer!
I understand, and looks fine to me, but the fact is that the usage of pki is a strong request from the user. What I am thinking now is to use IIS, enable certificate request so the client will have to install a certificate in the computer and/or connect an external device where it is stored and enter a pin to open the session. Then, from the application, I should get the info of the certificate from the session to validate user permissions, etc. Can I do this? I still couldn't find in WebApplication a method to get the information from the certificate associated with the ssl session.
TIA.
 

On 26 Apr 2006 10:22:45 -0700, "Hobbito" <XXXX@XXXXX.COM>writes:
Have you looked at creating a VPN tunnel (virtual private network)?
www.homenethelp.com/vpn/
www.wkmn.com/newsite/vpn.html
There are plenty of sites out there that explains it and have free VPN managers.
Barry
-----------------------------------
e-mail: XXXX@XXXXX.COM
web page: www.grebarsys.com
PrintDAT! - Make your grids and tables printable in just 10 seconds & 1 line of code
SuperFastDistinct! - 5x, 10x, 100x faster than SQL's Select Distinct ...