Persisting web service passwords
I'm not a security guy so any help on this would be greatly appreciated.
I have a large number of third-party field devices that have remote methods that can be called across xml-rpc using ssl. For each method call, a username and password must be transmitted in plain text as parameters along with any other method parameters. I have no control over the devices or their implementation.
I'm currently writing a web application that a user would log into and then have access to some numbe开发者_开发问答r of those field devices. The user doesn't need to know what devices they are connecting to, they just need the data. As such, I need to persist the username and password for each device in a database where they can be retrieved when an rpc call needs to be made.
How do I encrypt my device service passwords so that they can be decrypted when a call needs to be made? How do I decrypt the password when a call needs to be made?
I'm using Java and Spring for the application.
Note, I am not asking how to persist the user's login password.
If I have this right, there is only one username/pswd per field device (though each is different and there are many field devices).
Build a secure proxy service with access to all device passwords. The device passwords can be stored encrypted with proxy service's public key. Your web app presents user key to proxy service which (assuming satisfied) talks to field devices on their behalf. CryptoApi or one of its wrappers should be all you need.
You don't comment on numbers, but given proxy would be stateless, it should scale ok.
We solved similar problems with this code.
You would use the password the users log into your web application with as key when encrypting the usernames and passwords for the other services.
精彩评论