Ask the Expert

Authenticating Web applications to SQL

Is it possible to securely authenticate Web applications to SQL databases?

    Requires Free Membership to View

Yes, it is possible and I think the best way to securely authenticate Web applications to other resources, including SQL databases is to use Secure Shell (SSH). Secure Shell, sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol that provides strong authentication and secure communication over unsecured channels. The encrypted session is supported by public-key cryptography to protect the session key used by the symmetric encryption algorithm. SSH uses RSA public key cryptography for both connection and authentication and supports Blowfish, DES, IDEA, and other symmetric encryption algorithms.

As long as the connection between the application and the database uses TCP, you can use the SSH channel to authenticate to each other and increase security against different kinds of attacks. To use SSH for a variety of services you should use port redirection.

To enable a Web application to authenticate to your database you will need to put an SSH client on the Web server and an SSH server on the database server. SSH can then encrypt passwords and network traffic between your Web and database servers, thus preventing eavesdropping, IP spoofing, IP source routing, DNS spoofing and other network-level attacks.

You can receive free, open source implementations at http://www.openssh.com or commercial versions including Windows versions at http://www.ssh.com. There are two versions of SSH, SSH Secure Shell Version 1 and Secure Shell Version 2. SSH1 is not as secure as SSH2 and is gradually being withdrawn from use. SSH2 is actually a complete rewrite of the protocol, and it does not use the same networking implementation as SSH1, so make sure you use SSH2. A good SSH "how-to" can be found at http://p25ext.lanl.gov/ssh/ssh-howto.html.


Related Information

  • Find out the differences between SSH1 and SSH2 and why you should upgrade
  • Get the latest news, tips and expert advice on database security in our resource center


  • This was first published in August 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: