Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle

How do I perform mutual authentication; in particular, how can my application
verify it is talking to the right server before it tries to log into the web
service? Is this done with certificates (private on server and public
version of it on client)? I already have an SSL certificate from Verisign
for the server. Do I generate a "public" certificate based on that server
(private) certificate and then distribute it with the app and then the app.
verifies the certificates are for the same server? Is there an article with
an example on how to do this? I want to make sure I don't talk to a malicous
server and give it the password without first verifying it is a valid server.
Remember that my application needs the ability to change what server it
points to.
--
Thank you.


"Dominick Baier" wrote:

if the other endpoint has a trusted and valid SSL certificate, he would see
the data in cleartext.

But if you let customers change the endpoint address they must be also able
to change the server certificate for mutual authentication..so i don't see
a real advantage to use additional message security - and you are in the
same situation as with transport security.

Make sure that only authorized people (e.g. an admin) can change URIs on
the client.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

The web address my PC client program goes to for the web services is
editable by the user. This is in case the customer wants to host the
server side components on their own server. Thus they need the
ability to change the address. Thus, some malicious user could change
the address to some other server with an SSL certificate. Then an
unknowing, authorized user could attempt to log into the web site with
the PC client program, thinking its the correct one since they don't
know someone changed it (i.e. like a physical key stroke logger
hardware). The PC client program would then go to authorize,
unfortuantely to the wrong server; would then malicious server see the
user's password if I only use usernameOvertransportSecurity? I would
think the PC client would send the password unencrypted, but I am not
sure if it is still encrypted with that setting.

"Dominick Baier" wrote:

SSL is not prone to MITM attacks. You don't need additional message
based security.

SSL also does server authentication by default. Before you send data,
the client checks the server certificate which has to be trusted and
the common name must match the DNS name portion of the URL.

http://www.google.com/search?q=how+does+ssl+work&rls=com.microsoft:en
-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Hello.

I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
using my web service over SSL and the PC client application access
the web service directly (no middle man server(s)). I will be
adding the UserNameToken option to authenticate the user to the web
service. I am considering adding "usernameForCertificateSecurity"
for additional security; even though I am also using SSL. I am
concerned about "man in the middle" attacks for both the password
and data being sent back and forth. How do I decide if SSL is
sufficient? Is the password sent in an encrypted format if I only
use "usernameOverTransport Security"? Is it possible for someone to
find out the password that the PC sends for authentication to the
web service if I only use "usernameOverTransport Security"? If it
is possible to see someone's password; what's a good way to verify
the PC application is "talking" to a valid server before it tries to
authenticate by sending the user ID/Password?




.

Relevant Pages

  • Re: LDP client authentication fails
    ... The remote server has requested SSL client authentication, ... I have copied the personal certificate as follows: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need help configuring Wireless Connection profile
    ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Need help configuring Wireless Connection profile
    ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)