Is remote DB mobilink username and password passed to server for authentication is passed in plain-text or encrypted form?

I have a consolidated DB and remote DBs. Not sure how the mobilink authentication works. Please help me in pointing to a link or document for this.

Password is an optional field while creating the mobilink username.So if password is no given, then only username is used for authentication and that too in plain text?

Thanks in advance.

asked 09 Aug '11, 13:39

Vineet's gravatar image

Vineet
1405814
accept rate: 25%


If you encrypt your network traffic, using HTTPS or encrypted TCP/IP), then the password is encrypted, too. This is the only way to ensure the security of your sync traffic, which includes the MobiLink username and password. Without encryption, the username is in cleartext and the password is merely obfuscated.

See: http://dcx.sybase.com/index.html#1201/en/mlclient/mc-users.html*d5e265 for details on MobiLink users and authentication.

If you don't specify a password when creating a user in Sybase Central, then you will need to specify either a NULL password or the empty string. How you specify this depends on your MobiLink client. Sorry I'm not sure which one it is (NULL or empty string) but it will be one or the other. :-)

permanent link

answered 09 Aug '11, 14:23

RussC_FromSAP's gravatar image

RussC_FromSAP
1.3k11030
accept rate: 20%

Just to add on this, if mobilink user hasn't supplied any password, then this will be added as NULL automatically in ml_user table.

(10 Aug '11, 03:10) Vineet

All communication is done over TCP to the MobiLink server. The TCP protocol used can be direct point-to-point TCP, or over HTTP.

TCP communications are unencrypted, by default. Similar to the database server, the initial MobiLink login packet information is obfuscated, but this obfuscation can potentially be reverse engineered. (Meaning that it is essentially always considered 'plain text', but is slightly harder to humanly read with a packet sniffer - this does not preclude the possibility of a MITM/replay attack though!)

The way to guarantee encrypted communications is to use a secure protocol such as HTTPS or TLS. Setting up secure communications involves first creating/purchasing X.509 PKI Certificates.

permanent link

answered 09 Aug '11, 14:49

Jeff%20Albion's gravatar image

Jeff Albion
10.7k171174
accept rate: 24%

I doubt we document that when the recommended way to protect passwords is to strongly encrypt your network traffic.

FWIW I just looked at the code for v12 and the obfuscation is there.

permanent link

answered 10 Aug '11, 09:52

RussC_FromSAP's gravatar image

RussC_FromSAP
1.3k11030
accept rate: 20%

Thanks Russ and Jeff for your inputs.

Now, I understand that authentication data is obfuscated during transmission to server. Can you please point me to some doc or article to support this statement.

I was not able to find this in the link given by Russ.

permanent link

answered 10 Aug '11, 06:30

Vineet's gravatar image

Vineet
1405814
accept rate: 25%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×270
×98

question asked: 09 Aug '11, 13:39

question was seen: 1,093 times

last updated: 10 Aug '11, 09:52