Re: Web Services Security

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/06/05 

Date: Sat, 06 Aug 2005 00:53:05 -0700

Hello Brent,

you have two options for authentication -

a) use a password/SSL based approach
b) use WS-Security

a) not a bad approach at all - you rely on transport security - you get server
authentication out of the box (after all that is the machine your clients
are sending the credentials to) - yes you have a SSL overhead, but to be
honest, this overhead is totally comparable to implementing encryption yourself.
But SSL is a proven and tested mechanism. As a side note - network traffic
gets slightly smaller with SSL because the protocol already includes compression.
For real high volume sites, where you might think SSL sucks too much CPU
power, IIS6 supports crypto hardware to speed up the math. This requires
that your users have windows accounts.

b) another option - supports auth/encryption/signatures over an unsecured
transport. Supports several types of authentication mechanism - password/certificate
or kerberos based. Can be used to authenticate against a database.

I wouldn't go for a cookie based approach, because a) this is not normal
web service behaviour b) if not using SSL the cookie is transported in clear,
open to replay/hijacking attacks.

both approaches are valid. I urge you not to implement your own authentication
scheme. Take what other have done for you (and is already tested by a lot
of people).

you may want to have a look at the WSE2 library from Microsoft, this gives
you WS Security support.

general notes:

DataSets are .NET only - if you ever need to support non .NET clients - you
will have a hard time. Generally, don't use datatypes that can not be expressed
in the WSDL file. If you go for datasets, you should use strongly typed ones
(this will give clients the schema of the data at proxy generation time).
If this is a concern, consider packaging the data in a different data structure
(like array of objects)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi everyone, im about to start to design an application where security
> will be a must. I am starting to develop a web service that will be
> used for winform applications either from the local lan or from the
> internet. Also, i might use the same thing in an asp.net web site. I
> will pass a dataset to the client from the web service where they can
> modify the data and send the dataset back to the server for
> insert/update/deletes. I might also add some methods so you don't have
> to return allow you to return just one entry from the database instead
> of everything. Also, allow you to update one entry without setting the
> entire dataset back over the line. I am probably going to use the
> cryptogaphy functions allong with TripleDES to encrypt everything. I
> don't think it will be to bad. What is how do i handle authentication
> since there will be no state? When the user enters the application
> they will be prompted for a password. This will check their password
> compared to a hash that i will store on the DB. Ok everything is fine
> and dandy but now how do i make sure they are authenticated before
> they call any methods on the web service? I don't want any
> unauthenticated users calling this web service. Do i need to pass
> there password every time? I know i could probably use SSL but i don't
> want to overhead of SSL if its preventable.
>
> One a side note, i contemplated using http based remoting instead of
> web services but i already have iis running on my server and i don't
> want to have to open another port on my firewall for the remoting
> piece. I wanted to still be able to use port 80.
>
> I guess my main question was with the authentication part but does
> anyone see any other flaws in my design?
>
> thanks,
> Brent

Relevant Pages

  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle att
    ... You don't need additional message based security. ... SSL also does server authentication by default. ... I plan on upgrading my .NET 2.0 web service to use WSE 3.0. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Search not working
    ... Management>Authentication Providers>Edit Authentication, does not provide the ... ability to indicate whether the web application is using SSL or not. ... I changed IIS Authentication for the web site back to Integrated ... I have installed an SSL certificate and required SSL ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Can SSL sessions be compromised?
    ... the proxy machine -- if I enable local cookies for authentication this ... your "SSL server" machine may be trying to catch some simple types of ... information carried by the digital certificates was ... clicking on any RFC number, brings up that RFC in the lower RFC summary ...
    (comp.security.misc)
  • Re: Postfix + Auth + SSL + pop3s/imaps
    ... >> to use for authentication. ... Or I would still need SASL for smtp? ... >> if it's Plain or Login because I'm going to use SSL and that would ... >> encrypt both Login and the data channel. ...
    (freebsd-questions)