0

I have special environment which requires that I think security a bit out of the box.

Components involved:

A web service which requests data from a gateway, processes it and sends it to web clients. A gateway service which queries the data from a database backend.

A PKI infrastructure does not exist.

The problem is how to make the communication between the web server and the gateway reasonably secure. Communication between the web server and the clients and between the gateway and the backend is out of scope.

Problem: the web service code must be considered insecure since it is written in plain text PhP. The gateway service is written in a "compiled" language, so it would be possible (though not recommended ...) to store a reasonably obfuscated common secret inside.

What concepts do exist for such a scenario to establish an authenticated and encrypted secure channel, preferredly through SSL, assuming that all communication always origins at the web server.

(Someone already threw "Use OAuth" into the discussion, but I don't see the point, since I'd have to store the OAuth credentials/Access tokens somewhere in PhP --> I don't see how this can resolve the problem)

Nimral
  • 138
  • 5

1 Answers1

0

You could set up a VPN, or even a SSH tunnel between the web service and the gateway. This is literally the entire point of a VPN - despite all the crappy sponsored ads. I don't see how oauth would solve the problem.

You also wouldn't need to alter the application on either side since you're tunneling unencrypted data through an encrypted channel. The question is a little high level to suggest a specific solution but this seems the way to do it.

Journeyman Geek
  • 133,878