Ask the Expert

How to encrypt passwords using network security certificates

4I need to write to the Event Viewer (Application) of a Domain Controller from a PC that was external to this domain. For now, I'm using a batch file -- but the user password is visible, and thus, is not secure. Can I use a certificate to do this securely? How?

    Requires Free Membership to View

First off, certificates don't provide security, encryption does. The certificates are used in the encryption/decryption process and are shared between systems so that those systems have the same key.

That said, there are actually a couple ways to send usernames and passwords securely. Over the network you can use good old SSL. In this case, the network encapsulates packets bound for another system through an encrypted tunnel. The SSL certificate is shared between the initiating system and the end point.

On the identity management level, you can use encryption technologies like federation and Kerberos to pass session-based authentication tokens instead of usernames and passwords. But keep in mind that the source and destination must support these alternative authentication methods or have the ability to have these services added to them.

At the application level, it's possible to encrypt the entire packet using the destination's public PKI certificate, but you must have the ability to decrypt the packet with the destination's private PKI certificate before you can present it to the application. Whether you use network-, identity management- or application-specific encryption technologies, access to the certificate used in the encryption process must be managed and protected if you want to ensure the security of the content.

While public keys should be stored on an openly available repository, private keys or symmetric keys should be issued using a key management software tool according to a process that ensures they are securely distributed (out of band, secure email, pull technologies to a Web service, etc.). This may seem like it trades the process of protecting one data element (username/password) for another, but managing a set of keys is much less cumbersome than managing many credentials.

For more information:

This was first published in November 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: