Agent Authentication

Topics: Development
Jun 21, 2007 at 2:43 AM
Edited Jun 25, 2007 at 2:44 AM
One of the security issues we've encountered so far is how to authenticate in a reliable way the Agent accessing the service.

The way we've decided on using is by far the least secure one, that's using application passwords.

Right now, the way that the agent will authenticate in the service is by passing the Application GUID and it's password hash when the authentication with the service occurs. The problem is that the user of an application using Digital Fortress may have access to this data (Say a windows.forms app that you'd like to distribute) and through simple mechanisms can obtain the application guid and password, thus compromising security.

Several other choices have been given thought into, but none seem to offer a REAL level of protection to the user (both you and the user of your application consuming digital fortress services).

So we are asking for thoughts on how to solve this from the community. If you have any experience that might help us, please answer this post.

Bernardo Heynemann
Digital Fortress Coordinator